University subdomains hijacked for porn: a DNS hygiene failure
Photo via Unsplash
Hijacked university subdomains are actively serving pornographic content and scam pages to unsuspecting users, and the list of affected institutions includes some of the most prestigious academic names in the world. This isn't a sophisticated cyberattack — it's a slow-motion administrative failure that's been building for years.
How we got here
Universities spin up subdomains constantly — for research projects, campus events, departmental tools, temporary microsites. The problem is what happens when those projects end: the subdomains get forgotten, left dangling in DNS records, still pointing at third-party services that no longer exist. It's the digital equivalent of leaving your house keys in a lock you forgot you installed.
What's actually happening
According to the Ars Technica report, hundreds of subdomains belonging to dozens of universities have been taken over by scammers using a well-documented technique called subdomain takeover. The attack works like this: a scammer scans for subdomains that point to decommissioned third-party services — think orphaned GitHub Pages accounts, abandoned AWS S3 buckets, or expired Heroku apps — and simply claims that external resource before anyone notices. Once they do, the trusted .edu domain does all the heavy lifting. Search engines assign high authority to .edu domains, meaning this junk content can rank surprisingly well and reach a wide audience before anyone catches on.
What this really means
This is not a technology failure — it's a governance failure. Universities spend millions on firewalls, threat detection, and security audits while leaving basic DNS hygiene completely unattended. The real losers here are students, researchers, and anyone who clicks a .edu link trusting it's safe — a trust that, until now, was largely justified. That implicit trust is now being actively exploited.
The broader implications
Subdomain takeover isn't new, but this case makes it impossible to ignore for any large organization managing dozens or hundreds of domains. The fix is neither expensive nor technically complex:
- Regularly audit all active subdomains using tools like
subfinderoramass. - Remove or redirect any subdomains not pointing to an actively maintained resource.
- Set up automated alerts when a linked third-party service goes dark.
What makes this embarrassing for universities specifically is that this type of attack has been publicly documented for nearly a decade. The security community has written about it extensively. There's no shortage of free tooling to detect it. The gap here isn't knowledge or budget — it's attention. Large institutions are structurally bad at caring about things that don't appear urgent until they suddenly, very publicly, are.
Every organization running infrastructure at scale — corporations, government agencies, NGOs — should treat this as a direct warning. DNS hygiene is not a niche concern for sysadmins; it's a basic responsibility of anyone who runs a public-facing domain.
The question isn't whether your organization has abandoned subdomains — it almost certainly does. The question is whether you'll find them before a scammer does.
Source: Ars Technica