The Silent Push Favicon Impersonation query allows users to locate impersonation domains that are using the same favicon as their own trusted infrastructure.

Threat actors deploy favicons to make a phishing site appear legitimate in the eyes of the user. By mimicking an organization's favicon, attackers increase the believability of their scam.

In some cases, attackers also leverage the way browsers display favicons to adapt their attack to the user.

Executing a Favicon Impersonation query

Working with Favicon Impersonation results

Favicon Impersonation queries are executed using Silent Push Web Scanner.

When a query is run, the platform uses Web Scanner to capture the MD5 hash of a domain's legitimate favicon, and automatically scans for its use across all public-facing non-trusted infrastructure.

Results are populated using a Web Scanner table, with the following default categories:

• scan_date - Timestamp of when the data was scanned
• origin_url - URL that was originally scanned
• URL - The final URL that's arrived at
• hostname - Domain
• favicon_icons - Image displaying the favicon retutned for that result
• favicon_murmur3 - Murmur3 hash (standard favicon)
• favicon2_murmur3 - Murmur3 hash (favicon2)

To add or remove categories from the results table, click the icon next to Basic Raw Data and choose additional categories from the list.

To get a comprehensive break down of each result, including all relevant SPQL field names associated with the result, click Expand on the far right of the results table.

Monitoring changes

Once you've received a set of results, Silent Push allows you to monitor the data, alerting you of changes via email every 24 hours.