- 10 Jul 2024
- 1 Minute to read
- Print
- DarkLight
Use the favicon impersonation query
- Updated on 10 Jul 2024
- 1 Minute to read
- Print
- DarkLight
The Silent Push Favicon Impersonation query allows users to locate impersonation domains that are using the same favicon as their own trusted infrastructure.
Threat actors deploy favicons to make a phishing site appear legitimate in the eyes of the user. By mimicking an organization's favicon, attackers increase the believability of their scam.
In some cases, attackers also leverage the way browsers display favicons to adapt their attack to the user.
Executing a Favicon Impersonation query
Navigate to
Brand Impersonation > Favicon Impersonation
Enter a domain name in the
Domain Name
box (wildcards are not supported)(Optional) Click the
Save
button on the top right, to save the query for future useClick
Search
Working with Favicon Impersonation results
Favicon Impersonation queries are executed using Silent Push Web Scanner.
When a query is run, the platform uses Web Scanner to capture the MD5 hash of a domain's legitimate favicon, and automatically scans for its use across all public-facing non-trusted infrastructure.
Results are populated using a Web Scanner table, with the following default categories:
scan_date
- Timestamp of when the data was scannedorigin_url
- URL that was originally scannedURL
- The final URL that's arrived athostname
- Domainfavicon_icons
- Image displaying the favicon retutned for that resultfavicon_murmur3
- Murmur3 hash (standard favicon)favicon2_murmur3
- Murmur3 hash (favicon2)
To add or remove categories from the results table, click the icon next to Basic Raw Data
and choose additional categories from the list.
To get a comprehensive break down of each result, including all relevant SPQL field names associated with the result, click Expand
on the far right of the results table.
Monitoring changes
Once you've received a set of results, Silent Push allows you to monitor the data, alerting you of changes via email every 24 hours.
Click the
Monitor
button on the top right of the results screenEnter a
Monitor name
Enter a
Description
Click
Save