Online Design Platform Canva Abused by Hackers for Phishing

Bad actors, especially those focusing on scams and phishing emails, have been shifting their focus on exploiting cloud services and online tools for their campaigns. After a rise in phishing emails using content hosted on Microsoft's Sway presentation platform, bad actors have also abused Australian online graphics design platform Canva to host their scams.

As an online media design platform, Canva offers a lot of tools that help regular users create appealing presentations and graphics and now it seems hackers and bad actors want a slice of that pie as well. A lot of malicious emails using files designed and hosted on Canva have been reported by KnowBe4 users. This process has been going on throughout 2020, starting as early as February.

Faking Big Brand Names to Phish Victims

The scheme is simple - bad actors create convincing imagery and templates to use in their phishing emails and lure users into clicking on links leading to external malicious websites where their credentials are phished out. Microsoft imagery and fake Microsoft remain among the most frequently spoofed content used in those phishing emails, as brand popularity is a big factor in social engineering and can lend a lot of credibility to a fake message or image.

This increase in malicious activity using materials hosted on Canva comes in the wake of a 2019 data breach. Back in mid-2019, hackers breached Canva's databases and managed to swipe the login info, including emails and encrypted passwords, of over 130 million Canva users, with payment information not affected in any way. After the incident, Canva did not move to immediately change user passwords, perhaps relying on the encryption used for the existing ones. However, after 4 million decrypted Canva user passwords were put up for sale online, the company moved quickly to change everyone's password.

Protection from Phishing Starts with the Human Factor

That's not to say Canva has not been taking action against the malicious images hosted on its space, though. Reported malicious files are being actively taken down but they do stay live for a few hours, giving the phishing campaigns using those files some time to inflict damage. Of course, the phishing attempts reported through KnowBe4 are statistically a small part of all the potential full volume of images used for malicious purposes that are stored on Canva.

As with all attacks that rely heavily on social engineering, phishing prevention and protection should be rooted primarily in staff training. Awareness of URLs on hover, bad formatting and grammar in allegedly official emails, unsolicited and unexpected documents should all be big red signs that something is not right.