Favicon, a compound word for Favorites and Icon, is a website-representing icon that can be found on the tab above the browser address bar, and is applied to almost all websites that are available to users. Criminal IP (https://www.criminalip.io) provides the “favicon” filter that allows you to search for IP addresses through a website’s favicon. Using this filter, you can also find spoofed domains as well as vulnerabilities like admin pages exposed to attack surfaces.

How to Use Favicon Filter

There is one thing we need to figure out before using the favicon filter on Criminal IP Asset Search, and that is favicon-hash. To find a favicon-hash, you can either use Python or the online free favicon hash calculator, but there are many other ways to find it as well. However, since Criminal IP only accepts hexadecimal number, you have to ensure you convert the calculated decimal value to hexadecimal number. Keeping this in mind, we used the favicon filter to search for a router manufacturing company MikroTik, for example, and found a total of 409,882 MikroTic RouterOS admin pages.

favicon: 72b36155

There is one thing we need to figure out before using the favicon filter on Criminal IP Asset Search, and that is favicon-hash.

Result when searched with MikroTik’s favicon-hash on Criminal IP

If you access one of the searched IP addresses, you will be directed to a MikroTik RouterOS configuration page.

There is one thing we need to figure out before using the favicon filter on Criminal IP Asset Search, and that is favicon-hash.

MikroTik RouterOS configuration page

How to Search for Spoofed Domains

In addition, you can use the favicon to uncover spoofed domains.

[Criminal IP Youtube – How to Find Fake PayPal Loginj Page with Favicon Filter]

 

Upon searching for Paypal’s favicon-hash on Asset Search, you can find every IP address with Paypal’s favicon.

favicon: 126b479d

Criminal IP로 검색한 PayPal의 파비콘 해시 검색 결과

Result when searched with Paypal’s favicon-hash on Criminal IP

Amongst the searched IP addresses, spoofed websites along with the actual ones were found. To narrow down your search result to only spoofed domains, you can add an additional filter “-as_name:PayPal, Inc.” which will exclude every IP address owned by Paypal. For your information, you have to enter the legal name of the corporation to get the most accurate result.

favicon: 126b479d -as_name: PayPal, Inc.

PayPal 파비콘이 적용된 IP주소 중 PayPal, Inc. 가 소유하지 않은 IP 주소만 검색

Result when searched “favicon: 126b479d -as_name: Paypal, Inc.” on Criminal IP

When checking one of these IP addresses, we found a website that is indistinguishable from the actual Paypal login page. It had Paypal’s favicon, title, and UI, pretty much everything that is similar to the actual page. However, all of these functionalities, such as language changes and cookie policies, except login, are inactive, and above all, a warning is displayed as this website does not have any issued SSL certification. Here, we can assume that this is a spoofed website.

There is one thing we need to figure out before using the favicon filter on Criminal IP Asset Search, and that is favicon-hash.

Login page of a spoofed website

There is one thing we need to figure out before using the favicon filter on Criminal IP Asset Search, and that is favicon-hash.

Actual Paypal login page

The favicon filter can be used in many more cases as well. We have posted a blog about using the favicon filter to search for HFS HTTP File Servers exposed to attack surfaces before, so check it out to learn more about filter usage.


Source : Criminal IP (https://www.criminalip.io)