Australian design platform Canva unwittingly provided phishing campaigns with graphics, making threat actors’ schemes appear more legitimate as they pilfer credentials through social engineering trickery.
Hackers hijacked the graphic design site, owned by the fast-growing company whose valuation recently grew from $3.2 billion to $6 billion, and used it to leverage other brands like Sharepoint, Microsoft Office and Docusign in their messages, according to a blog post by KnowBe4.
The company’s customers reported more than 4,200 malicious emails generated through Canva since mid-February, when phishing emails noticeably increased.
“Businesses and their employees should be on the alert for phishing campaigns that exploit or spoof legitimate online services and brands,” Eric Howes, principal researcher at KnowBe4 and author of the blog post, told SC. “This is not a new phenomenon, nor is it uncommon.”
The use of Canva by malicious actors for credentials phishing should serve as yet another reminder that organizations need to train their users to spot and handle malicious emails correctly.
“All it takes is one user to fall for a credentials phish and open the door to malicious actors,” Howes added.
A May 2019 data breach may have made Canva ripe for hijacking. While KnowBe4 isn’t linking the earlier incident with the platform currently being used in phishing schemes, Howes pointed out that Canva curiously did not immediately change users passwords after the breach, only to discover a list of four million accounts with decrypted passwords were for sale online. That prompted the company to reset users’ passwords.
The Canva website currently makes no mention of 2019 data breach or the January password reset effort, and Howes said Canva hasn’t been in touch about this latest discovery.
“Canva is almost certainly aware of the problem, though, as the company is regularly taking down malicious files used in phishing emails,” he said, adding the malicious files used with phishing emails that were reported to KnowBe4 on Friday and over the weekend have been taken down. “Emails reported today, however, are still live.”
Even though Canva is removing the files, Howes noted they typically live for hours afterwards — giving unwitting users plenty of time to click through and wind up being phished for credentials.
Howes called Canva a “functional replacement” for online presentation program Microsoft Sway, which was similarly used by hackers to distribute malicious files and the subject of a similar report late last year by KnowBe4.
“Since then, customers using the Phish Alert Button (PAB) have reported a dramatically fewer number of attacks using files created and hosted on Sway,” Howes said in the blog post.
Since only a small percentage of companies using the KnowBe4 PAB platform elect to share emails with the company, Howes believes the total number of malicious emails received by customers “almost certainly much, much larger.”