Scammers hijack hundreds of university subdomains to serve porn
TL;DR
Attackers hijacked hundreds of subdomains across dozens of universities by claiming dangling DNS records that pointed to expired third-party services, then served porn under trusted edu domains.
What changed
Researchers documented hundreds of subdomains across dozens of universities being hijacked to serve illicit content. The root cause was dangling DNS records pointing to expired third-party services and forgotten cloud storage. Attackers re-registered the deprovisioned resources and inherited the trust signal of the parent domain.
Why it matters
This is a generic infrastructure failure, not a higher-ed-specific one. Any engineering team that has ever spun up a subdomain for a marketing landing page, a staging environment, or a deprecated SaaS tool is sitting on the same risk. Subdomain takeover damages search rankings, breaks email deliverability via SPF/DKIM lineage, and provides a credible phishing surface against your own users.
What to watch for
Pull a full export of your DNS zone and reconcile every CNAME against the live status of its target. Tools like dnsReaper, subjack, and Project Discovery's nuclei templates will flag takeovers automatically. Wire the check into CI so any new dangling record fails the build. Make DNS deletion a required step in the runbook for sunsetting services.
Who this matters for
- Developers: Inventory all DNS records and delete any CNAME pointing to a deprovisioned SaaS, S3 bucket, or expired hosting tenant.
Harsh’s take
Dangling DNS is the most preventable security failure in the industry, and it keeps happening because no one owns the DNS zone after the project ends. A CNAME pointing to a deprovisioned Heroku app or a deleted S3 bucket is not a stale config; it is an open invitation for someone to register that resource and host whatever they want under your domain.
Build this into your offboarding and project sunset checklist. When you tear down a service, the DNS record dies in the same PR. Run a quarterly subdomain takeover scan with subjack or dnsReaper against your zone file. If your team cannot list every subdomain it owns and what each points to, that gap is the breach waiting to happen.
by Harsh Desai
More AI news
- FeatureAnthropic suspends access to new models as India debates AI future
Anthropic has suspended access to its new models in India. Tech leaders discuss the impact on the country's AI development.
- Daily RoundupRio-3.5 trends on Hugging Face, BiRefNet video tools hit Replicate, Anthropic industry updates
Fresh open models appeared on Hugging Face while Replicate added background removal options for video and images. Vercel and Anthropic released policy and integration changes that affect access and workflows.