Favicon, a compound word for Favorites and Icon, is a website-representing icon that can be found on the tab above the browser address bar, and is applied to almost all websites that are available to users. Criminal IP (https://www.criminalip.io) provides the “favicon” filter that allows you to search for IP addresses through a website’s favicon. Using this filter, you can also find spoofed domains as well as vulnerabilities like admin pages exposed to attack surfaces.
How to Use Favicon Filter
There is one thing we need to figure out before using the favicon filter on Criminal IP Asset Search, and that is favicon-hash. To find a favicon-hash, you can either use Python or the online free favicon hash calculator, but there are many other ways to find it as well. However, Criminal IP only uses the favicon hash algorithm in hexadecimal format, so you need to convert the calculated decimal value to hexadecimal format before searching. Keeping this in mind, we used the favicon filter to search for a router manufacturing company MikroTik, for example, and found a total of 409,882 MikroTik RouterOS admin pages.
favicon: 72b36155
Result when searched with MikroTik’s favicon-hash on Criminal IP
If you access one of the searched IP addresses, you will be directed to a MikroTik RouterOS configuration page.
MikroTik RouterOS configuration page
How to Search for Spoofed Domains
In addition, you can use the favicon to uncover spoofed domains.
[Criminal IP YouTube – How to Find Fake PayPal Login Page with Favicon Filter]
Upon searching for PayPal’s favicon-hash on Asset Search, you can find every IP address with PayPal’s favicon.
favicon: 126b479d
Result when searched with PayPal’s favicon-hash on Criminal IP
Among the searched IP addresses, both the genuine PayPal website and the spoofed ones were found. To narrow down the search results and only find spoofed domains, you can use an additional filter “-as_name:PayPal, Inc.” This filter will exclude all IP addresses owned by PayPal. For your information, you have to enter the legal name of the corporation to get the most accurate result.
favicon: 126b479d -as_name: PayPal, Inc.
Result when searched “favicon: 126b479d -as_name: PayPal, Inc.” on Criminal IP
After checking one of the IP addresses, we discovered a website that is almost identical to the real PayPal login page. It had PayPal’s favicon, title, and user interface, which are almost identical to the actual page. However, all of the website’s functionalities, except for the login, were inactive, including language changes and cookie policies. Additionally, a warning message appeared, stating that the website did not have an SSL certification. Based on this information, we can conclude that this is a spoofed website.
Login page of a spoofed website
Actual PayPal login page
The favicon filter can be used in many more cases as well. We have posted a blog about using the favicon filter to search for HFS HTTP File Servers exposed to attack surfaces before, so check it out to learn more about filter usage.
Source : Criminal IP (https://www.criminalip.io)
[…] Favicon-Hash, a Tool To Find Spoofed Domains […]
[…] One Vulnerable Jenki… on Favicon-Hash, a Tool To Find S… […]
[…] more tips on using the favicon filter, refer to the Search Tip for detecting spoofed domains at the bottom of the […]
[…] Related Article(s) : Favicon-Hash, a Tool to Find Spoofed Domains […]