Online Designing Platform Canva Abused In Credentials Phishing

Canva is a well known graphic designing platform that offers both free and paid services. The platform is used by various designers, bloggers and businesses to use the templates and design banners, posters, cards, advertisements, infographics, forms and many more. Users can either download them in various formats or share the link to social media or other platforms.

However, the service is now being actively abused by cyber actors to host phishing scams. The online graphics designing platform is being actively used by bad actors to create forms and hosting them as phishing landing pages.

These forms contain embedded links that are being shared as redirect pages. So, when any user opens the link, they see a form in full view. And is able to interact with the form like any field to enter to links to click.

Threat actors are abusing canva’s hosting Service For Phishing scams

According to a report from Cofense- a cybersecurity firm, says that the threat actors are actively abusing the Canva to create and host HTML landing pages. These can then be used to redirect users to phishing pages showing login forms.

If the user/victim clicks on the phishing link, it will redirect them to an intermediary page hosted by Canva. However, the page may attempt to legit, as it tends to appear as showing details about some Fax user received. The pages also contain some clickable links that are meant to review the fax document. A sample of the phishing form shows a delivery notification of SharePoint eFax.

Online Designing Platform Canva Abused In Credentials Phishing

Online Designing Platform Canva Abused In Credentials Phishing (image source: Bleeping computer)

Further, the notification contains a link that redirects users to the phishing landing page hosted on designing platform Canva.

Online Designing Platform Canva Abused In Credentials Phishing 1

Canva Abused In Credentials Phishing link To Review the Document (image source: Bleeping computer)

While clicking on the link, it finally redirects to the phishing page that prompts users to log in to view the document. Here, any login credentials user enters will be stolen by the threat actors.

In short, the whole spam campaign is about abusing the template created on the canva and using them in phishing emails. Not surprising, they pretend it to be an important Fax information, which lures users into clicking them. Upon clicking it redirects to the phishing landing page, where the login credentials entered by the users can easily be stolen by the attackers.

Canva’s Data Breach History

While, this is not the first time, Canva and its services are being abused by threat actors. In fact, a data breach came into light in mid- 2019, when hackers breaches the canva’s database. They managed to steal login credentials, emails and passwords(encrypted) of over 130 million Canva users.

Initially, Canva underestimated it hoping that the passwords are encrypted that cannot be cracked. However, the hackers managed to decrypt the passwords of over 4 million users and put them up for sale. Then after Canva took immediate actions to change the passwords of the users.

Why Threat Actors Abusing Canva

Canva is relatively an online platform to create and share the various media contents. And is not particularly acts as a hosting platform, so it has less take on such phishing attempts.

“Canva is probably aware of the problem, removing malicious files as and when they’re found but, as our research has concluded, many of these malicious files have remained on Canva’s hosted platform for hours and even days at a time. Sites, such as Google where hackers have traditionally hosted their phishing emails, appear to be a lot faster in detecting and removing them, which is another reason threat actors have begun to exploit the Canva platform,” says the condense report.

How To Protect Yourself From Phishing Scams

Threat actors are continuously using various social engineering tactics to scam users. Thus, besides the security firms are closely watching them. But it is equally important as being a user to prevent ourselves from such malicious acts. After all, we are the one who have to bear the loss.

To combat such acts, users need to be aware of the scam emails that are imitates to be some important or official emails. Spotting a phishing email are not too difficult, if you look closely to some points like:

  • Fake brand logo;
  • Shortened links;
  • Grammatical errors;
  • Unsolicited links or documents;
  • Emails which may not actually be expecting like fake invoices, shipment or fax so on.

Besides that, it is very important to enable the 2FA authentication to your accounts. You should not save your login details on the device or browser. Better use a legitimate password manager tool like Dashlane to keep them secure.

Dashlane Password Manager tool

Dashlane Password Manager tool

To secure your passwords and logins download DashLane Password Manager Now.

Install a real-time protection tool to safeguard your privacy and both online and offline. So, if haven’t got one, then you should definitely check out ESET Smart Security.

Short Review:

ESET Smart Security Guards Against Ransomware


Its a comprehensive security tool that does not only protects from viruses but also ensures online privacy. Besides being a renowned anti-virus, it protects from Ransomware attacks, prevents hackers or spyware from stealing banking and login credentials. Safeguards online shopping and bank transactions.

Secondly, due to advanced anti-theft technology, ESET protects your wifi routers, networks, smart devices and webcam and other traceable devices. In case your device gets lost or stolen, it helps to track the location of the theft via built-in camera of the device.

And best part it it secures all your devices with a single license whether it is Mac, Windows, Android or Linux.



More From Unboxhow