Threat actors impersonate your domain by copying or mimicking the favicon to provide a subtle but effective method to hide an illegitimate domain behind a legitimate domain.
By impersonating your favicon, threat actors:
- Increase the visual credibility of their illegitimate domain.
- Enhance the realism of their phishing attack.
- Evade basic detection tools.
- Boost their social engineering efforts.
- Establishing consistency across an ecosystem of phishing domains and illegitimate domains.
Our Favicon Impersonation query helps you detect domains that are using the favicon of a legitimate brand without authorization. This enables you to proactively identify phishing or brand impersonation attempts early and intervene before these domains can trick users, compromise credentials, or damage the brand’s reputation.
To identify fraudulent domains that are impersonating your infrastructure by using your favicon, use the Favicon Impersonation query:
-
From the home page, select Brand Impersonation.
-
Select Favicon Impersonation.
-
Select Create New +.
-
In the Domain Name box, enter the name of a domain to investigate.
-
Select Search.
-
(Optional) To save your results, select Save.
Understand your Favicon Impersonation results
Use the following table to understand the details of your results.
| Column Name | Description | |
|---|---|---|
| 1 | scan_date | Date and time that we scanned the data. |
| 2 | origin_url | URL that we originally scanned. |
| 3 | URL | URL that is the final destination of your query. |
| 4 | hostname | Name of the domain. |
| 5 | favicon_icons | Image of the favicon we display in the results. |
| 6 | favicon_murmuer3 | Murmur3 hash of the standard favicon. |
| 7 | favicon2_murmuer3 | Murmur3 hash of an alternative favicon. |
-
To add a filter or remove a filter from the results table, select the icon next to Basic Raw Data, and choose your preference.
-
To expand on a specific result to your query and view additional information, select Expand.