Canva, an Australian online graphic designing platform, is a victim of a cyberattack after hackers compromised the platform to design and store malicious files into official-looking documents, which can be deployed in phishing emails to pilfer sensitive data. Canva lets users create graphical images, presentations, infographics, and other visual content on both web and mobile platforms.
Security firm KnowBe4, in its report said that several phishing emails were regularly reported using Canva to spread credentials phishes on users via a number of social engineering schemes.
The Canva-Based Phishing Attack:
1. After creating a malicious document/file on Canva, the threat actors send an email to the targeted user with a link to this malicious file.
2. The dodgy email claims to be from a legitimate source and prompts the user to click on the link saying that it redirects to an important file.
3. If the user clicks on the first link, it again prompts the user to click on another link to view the file in the email, but it actually redirects to a phony login page. The user is then asked to enter the login credentials, which can result into an account takeover by hackers.
“The odd appearance of this document ought to alert users that something is amiss. If nothing else, this clearly is not anything hosted on Sharepoint. Users who elect to plow on in an attempt to access the Secure Document are shuffled off to a poorly spoofed Sharepoint login page hosted on Weebly,” the report stated.
“While spoofs of Microsoft and Docusign are common enough in Canva-based phishing attacks, the malicious emails sporting Canva links that we most frequently encounter are fake voice mail notifications — a genre that has been on the rise over the past few months. Strangely, the initial email in this particular attack immediately requires users to open yet another attached email,” the report said.
The report added, “The vast majority of these malicious emails lead to credentials phishes, some more credibly presented than others. Canva is being used to create and host files that are employed for some of the most common social engineering schemes that we see on a daily basis.”
Not the First Time
Earlier, Canva suffered a cyberattack in which hackers penetrated into its systems and stole data of nearly 140 million users. The company stated in a release that the usernames and email addresses of customers were accessed. On the bright side, the passwords remain encrypted, thereby being unreadable to external parties. A majority of Canva users use Google and Facebook accounts for social logins. According to the firm, even these credentials remain unreadable as they were encrypted like the former. Amid this, Canva has also been criticized by cybersecurity experts for the way it handled the attack and notified the customers.