Microsoft ATP
Microsoft EOP
Mimecast
Proofpoint By Ala Dabat Cofense Phishing Defense Center
Over the past weeks, the Cofense Phishing Defense Center (PDC) has seen an increase in the number of attackers deploying Australian design platform Canva in their attempts to trick unwitting recipients into giving up their login credentials for a number of well-known email platforms. Canva lets users design and create graphically driven content such as presentations and other visual content, which has allowed malicious actors to move away from platforms such as Google Docs and Dropbox to harvest sensitive user data through powerfully driven phishing campaigns.
Examples of these attacks vary, although we have seen an increase in the number of malicious PDF files with embedded links that redirect targets to phishing websites hosted on Canva. Canva is in turn used to host image files used as a launch pad, redirecting targets to malicious websites designed to harvest user credentials via cloned landing pages.
We have noticed that this method of delivery has been employed by hackers to bypass traditional SEG filtering by keeping the content of the email very simple so as to fly under the radar of detection engines. This use of attachments and simply designed phishing emails is nothing new; however we are seeing an increase in the number of Canva hosted malicious images employing this method of delivery.
Figure 1: Email with malicious PDF attachment
The attachment is a malicious PDF file purporting to be from Microsoft, which then loads via the recipient’s browser as a local file with an embedded link redirecting the recipient to the malicious Canva image landing page.
Figure 2: Malicious PDF redirecting targets to Canva hosted malicious image
Once the recipient has clicked on the link, they are redirected to an image hosted on Canva, which includes a link directing to the phishing landing page. Note that as a method of garnering further legitimacy, the image claims to have been scanned by antivirus giving the recipient a further sense of security.
Figure 3: “OneDrive” landing page hosted on Canva’s design platform
Once the recipient clicks the link to view the bogus PDF document, they are then redirected to an official looking Microsoft webpage (Figure 4) where they are encouraged to enter sensitive data in order to view the document.
Figure 4: Redirect to an official looking site purporting to be Microsoft OneDrive for business.
Aside from attachments the PDC has also seen different variations in the methods of delivery, including phishing emails encouraging recipients to click on a malicious link to view documents; it redirects them to a malicious image hosted on Canva.
In the figure below, we can see an example phishing email without a malicious attachment.
Figure 5: A Canva hosted attack with embedded link claiming to be a new ‘Fax Document’
Once recipients click the malicious link, like the previous example, they are redirected to a Canva landing page with a malicious image.
Figure 6: Malicious landing page
Canva is being used by malicious actors as the launchpad for common phishing tactics, applying well known attack vectors and convincing aesthetics for enhanced credibility.
Figure 7: Multiple email provider login pages for credential harvesting
In this instance we opted to log in via the bogus Microsoft Outlook login option. Once the recipients have entered their credentials, the credentials are harvested to a database.
Figure 8: Example login page, Microsoft Outlook, with credible aesthetics
Canva is probably aware of the problem, removing malicious files as and when they’re found but, as our research has concluded, many of these malicious files have remained on Canva’s hosted platform for hours and even days at a time. Sites, such as Google where hackers have traditionally hosted their phishing emails, appear to be a lot faster in detecting and removing them, which is another reason threat actors have begun to exploit the Canva platform.
Indicators of compromise:
| Network IOCs | IPs |
| hXXps://9812343[.]fls[.]doubleclick[.]net/activityi;src=9812343;type=retar0;cat=flood0;ord=7358195098176 | 17221715102 |
| hXXps://www[.]canva[.]com/design/DAEHygBxHno/INiENewnEJagw51VOIkz7w/view | 1041821567
104[.]18[.]216[.]67 |
| hXXps://thelivingoodcenter[.]com/cs/office365-RD62/offaccess/ | 19224911434 |
| hXXps://www[.]seoera[.]net/7hd7n3ydnbd734/Driveee/Drive/ | 192254138161 |
| hXXps://saynodeserve[.]com/cardinal/m/f/ | 160153203183
|
Conclusion
Cofense is the only company that combines a global network of 30 million people reporting phish with advanced AI-based automation to stop phishing attacks fast. Learn more about our phishing detection and response platform here.
