Threat actors have been taking advantage of Canva as the basis for widespread phishing campaigns.

Canva is a legitimate graphic design platform used to create graphics, presentations, posters and other visual content. It is available on web and mobile, and integrates millions of images, fonts, templates and illustrations. It is predominantly used by graphic designers and marketing companies.

But its legitimacy has been dented somewhat with the emergence of a phishing campaign leveraging the site.

The screenshot below is from an email that is in current circulation. It claims to be from a legitimate organisation…

The blue hyperlinked text directs a user to the Canva site where a potentially malicious graphic is displayed to convince users to expose their login credentials or download a malicious file.

The link that navigates victims from their email to the Canva site bypasses filters and firewalls due to the site being legitimate and typically non-malicious.

A significant number of phishing campaigns have been launched through Canva, with more than 10,000+ scans of similar malicious sites shown on URLscan.io, and it is likely this will continue as it is a highly convincing method of tricking victims into their legitimacy.

The basic premise of the campaign is to create a spoofed login form, or malicious file, using Canva’s graphical features on their site. A link is sent to the victim, luring them to the site and prompting them to login to the spoofed image or download the malicious file, giving a threat actor opportunity to exploit either credentials or execute the file downloaded.

The main reason these campaigns are so convincing is due to the Canva site being well known and typically safe, allowing them to avoid intrusion detection system (IDS) rules and evade antivirus systems.

When the URL is physically checked it will also display HTTPS protection which is a key feature taught in phishing education courses and videos that may be shown at many organisations.

Analysis of previous attacks show that the site itself is safe and legitimate and that the problem lies with the specific landing page the victim is directed to, as this is where they will then be prompted for credentials or downloads.

Similar lures have been seen on other platforms such as Dropbox and SendGrid, which have also been used to distribute phishing campaigns. However, Canva fell victim to a data breach in May 2019 causing over 139 million users to have their data compromised, including passwords.

Subsequently, a significant number of premium accounts were leaked online and there is a realistic possibility that these accounts can be used for malicious purposes.

Additionally, free user accounts have a lot of functionality that a threat actor can leverage to their advantage.

Therefore, the use of Canva to leverage phishing campaigns may be just as popular or seen to become more widespread despite lacking some functionality such as propagating emails.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).