Share:

By Ala Dabat Cofense Phishing Defense Center

Over the past weeks, the Cofense Phishing Defense Center (PDC) has seen an increase in the number of attackers deploying Australian design platform Canva in their attempts to trick unwitting recipients into giving up their login credentials for a number of well-known email platforms. Canva lets users design and create graphically driven content such as presentations and other visual content, which has allowed malicious actors to move away from platforms such as Google Docs and Dropbox to harvest sensitive user data through powerfully driven phishing campaigns.   

Examples of these attacks vary, although we have seen an increase in the number of malicious PDF files with embedded links that redirect targets to phishing websites hosted on Canva. Canva is in turn used to host image files used as a launch pad, redirecting targets to malicious websites designed to harvest user credentials via cloned landing pages.  

We have noticed that this method of delivery has been employed by hackers to bypass traditional SEG filtering by keeping the content of the email very simple so as to fly under the radar of detection engines. This use of attachments and simply designed phishing emails is nothing new; however we are seeing an increase in the number of Canva hosted malicious images employing this method of delivery. 

Figure 1: Email with malicious PDF attachment 

The attachment is a malicious PDF file purporting to be from Microsoft, which then loads via the recipients browser as a local file with an embedded link redirecting the recipient to the malicious Canva image landing page. 

Figure 2:  Malicious PDF redirecting targets to Canva hosted malicious image

Once the recipient has clicked on the link, they are redirected to an image hosted on Canva, which includes a link directing to the phishing landing page. Note that as a method of garnering further legitimacy, the image claims to have been scanned by antivirus giving the recipient a further sense of security.   

Figure 3: “OneDrive” landing page hosted on Canva’s design platform 

Once the recipient clicks the link to view the bogus PDF document, they are then redirected to an official looking Microsoft webpage (Figure 4) where they are encouraged to enter sensitive data in order to view the document.  


Figure 4: Redirect to an official looking site purporting to be Microsoft OneDrive for business. 

Aside from attachments the PDC has also seen different variations in the methods of delivery, including phishing emails encouraging recipients to click on a malicious link to view documents; it redirects them to a malicious image hosted on Canva.  

 In the figure below, we can see an example phishing email without a malicious attachment. 

Figure 5:  A Canva hosted attack with embedded link claiming to be a new ‘Fax Document’ 

Once recipients click the malicious link, like the previous example, they are redirected to a Canva landing page with a malicious image.

Figure 6: Malicious landing page  

Canva is being used by malicious actors as the launchpad for common phishing tactics, applying well known attack vectors and convincing aesthetics for enhanced credibility. 

Figure 7: Multiple email provider login pages for credential harvesting 

In this instance we opted to log in via the bogus Microsoft Outlook login optionOnce the recipients have entered their credentials, the credentials are harvested to a database. 

Figure 8: Example login page, Microsoft Outlook, with credible aesthetics 

Canva is probably aware of the problem, removing malicious files as and when they’re found but, as our research has concluded, many of these malicious files have remained on Canva’s hosted platform for hours and even days at a time. Sites, such as Google where hackers have traditionally hosted their phishing emails, appear to be a lot faster in detecting and removing them, which is another reason threat actors have begun to exploit the Canva platform. 

Indicators of compromise:  

Network IOCs  IPs  
hXXps://9812343[.]fls[.]doubleclick[.]net/activityi;src=9812343;type=retar0;cat=flood0;ord=7358195098176  172[.]217[.]15[.]102 
hXXps://www[.]canva[.]com/design/DAEHygBxHno/INiENewnEJagw51VOIkz7w/view  104[.]18[.]215[.]67 

104[.]18[.]216[.]67 

hXXps://thelivingoodcenter[.]com/cs/office365-RD62/offaccess/  192[.]249[.]114[.]34 
hXXps://www[.]seoera[.]net/7hd7n3ydnbd734/Driveee/Drive/  192[.]254[.]138[.]161 
hXXps://saynodeserve[.]com/cardinal/m/f/  160[.]153[.]203[.]183 

 

 

“All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.