A researcher discovered that threat actors hijacked subdomains belonging to more than 30 major universities. The attackers exploited subdomain hijacking, a technique that allows bad actors to impersonate trusted institutions by taking control of web properties that operate under a university's domain name.
Subdomain hijacking works when organizations fail to properly manage or monitor their web infrastructure. Attackers register or claim abandoned subdomains, then use them to launch phishing campaigns, distribute malware, or conduct other attacks. The universities' established reputations lend credibility to the malicious activity, making victims more likely to trust fraudulent communications.
The researcher, whose work was reported by EdScoop, identified the vulnerability at institutions across the country. This discovery highlights a widespread security gap in how universities manage their digital assets. Many institutions maintain dozens or hundreds of subdomains for various departments, projects, and services. Without proper inventory and monitoring systems, abandoned or forgotten subdomains become easy targets.
Universities store sensitive data and work with vulnerable populations, including students and researchers. A successful attack leveraging a hijacked university subdomain could expose personal information, compromise academic research, or damage institutional trust. Security experts recommend that universities conduct regular audits of all subdomains, implement monitoring systems, and establish clear policies for deactivating unused web properties.