Threat actor hijacked subdomains at 30+ major universities, researcher found

Alex Shakhov, the founder of a cybersecurity consulting firm, disclosed in a recent blog post that earlier this month he discovered that a threat actor had taken over 34 .edu subdomains at major universities — including MIT, Harvard, Stanford and Columbia.

He found that Google had even indexed the results, websites that are serving “pornographic spam.” The full list of affected institutions includes: MIT, Harvard, Stanford, UC Berkeley, Columbia, University of Chicago, Johns Hopkins University, George Washington University, University of Michigan, Rutgers, University of Virginia, Texas A&M, UC San Diego, Stony Brook University, Auburn University, University of Utah, University of Georgia, George Mason University, TCU, UCSF, Emory University, University of Washington, Washington University in St. Louis, Case Western Reserve University, UNC Chapel Hill, UNC Greensboro, Florida State University, Florida Southern College, Cal Poly, Antioch University, Ball State University, San Diego Supercomputer Center (SDSC), Atlantis University, and SIT.

According to Shakhov’s blog post, a subdomain takeover is a simple operation that starts with finding old projects that once lived on the university’s website and taking over those subdomains to host spammy or illicit content. Because of their association with a trusted source — universities — the subdomains enjoy high rankings on Google searches.

“The root cause is simple: organizations create DNS records and never clean them up,” the post reads. “There is no expiry date on a CNAME record. Nobody gets an alert when the target stops responding. And most university IT departments don’t maintain a comprehensive inventory of their subdomains and where they point.”