Favicon, a compound word for Favorites and Icon, is a website-representing icon that can be found on the tab above the browser address bar, and is applied to almost all websites that are available to users. Criminal IP (https://www.criminalip.io) provides the “favicon” filter that allows you to search for IP addresses through a website’s favicon. Using this filter, you can also find spoofed domains as well as vulnerabilities like admin pages exposed to attack surfaces.
How to Use Favicon Filter
There is one thing we need to figure out before using the favicon filter on Criminal IP Asset Search, and that is favicon-hash. To find a favicon-hash, you can either use Python or the online free favicon hash calculator, but there are many other ways to find it as well. However, since Criminal IP only accepts hexadecimal number, you have to ensure you convert the calculated decimal value to hexadecimal number. Keeping this in mind, we used the favicon filter to search for a router manufacturing company MikroTik, for example, and found a total of 409,882 MikroTic RouterOS admin pages.
If you access one of the searched IP addresses, you will be directed to a MikroTik RouterOS configuration page.
How to Search for Spoofed Domains
In addition, you can use the favicon to uncover spoofed domains.
[Criminal IP Youtube – How to Find Fake PayPal Loginj Page with Favicon Filter]
Upon searching for Paypal’s favicon-hash on Asset Search, you can find every IP address with Paypal’s favicon.
Amongst the searched IP addresses, spoofed websites along with the actual ones were found. To narrow down your search result to only spoofed domains, you can add an additional filter “-as_name:PayPal, Inc.” which will exclude every IP address owned by Paypal. For your information, you have to enter the legal name of the corporation to get the most accurate result.
favicon: 126b479d -as_name: PayPal, Inc.
When checking one of these IP addresses, we found a website that is indistinguishable from the actual Paypal login page. It had Paypal’s favicon, title, and UI, pretty much everything that is similar to the actual page. However, all of these functionalities, such as language changes and cookie policies, except login, are inactive, and above all, a warning is displayed as this website does not have any issued SSL certification. Here, we can assume that this is a spoofed website.
The favicon filter can be used in many more cases as well. We have posted a blog about using the favicon filter to search for HFS HTTP File Servers exposed to attack surfaces before, so check it out to learn more about filter usage.