The Silent Push HTML Title Impersonation query allows users to locate impersonation domains that are using the same favicon as their own trusted infrastructure.

Threat actors use directly spoofed and slightly amended HTML titles in phishing attacks, to trick users into thinking that they are visiting a legitimate website.

Either the title displayed in a users browser is a direct copy of a legitimate title, or there are subtle differences in spelling that are hard to detect at a glance.

Executing a HTML Title Impersonation query

Working with HTML Title Impersonation results

Favicon Impersonation queries are executed using Silent Push Web Scanner.

When a query is run, the platform uses Web Scanner to capture the legitimate domain's HTML title, and runs a query that locates non-trusted domains using the same HTML title.

Results are populated using a Web Scanner table, with the following default categories:

• htmltitle - HTML title of the returned result
• scan_date - Timestamp of when the data was scanned
• origin_url - URL that was originally scanned
• URL - The final URL that's arrived at
• IP - IP address
• hostname - Domain

To add or remove categories from the results table, click the icon next to Basic Raw Data and choose additional categories from the list.

To get a comprehensive break down of each result, including all relevant SPQL field names associated with the result, click Expand on the far right of the results table.

Monitoring changes

Once you've received a set of results, Silent Push allows you to monitor the data, alerting you of changes via email every 24 hours.