How to find Phishing websites with Favicon Hash

Favicon hashes can be use for finding vulnerable and phishing websites

Favicon hash can be a way to find vulnerable websites, you can use it especially in BugBunty programs. And this is because different versions of software use different favicons.

But “favicon’s Hash” is not just for finding vulnerable websites. An other useful example is find Phishing websites. Because fake websites try to look exactly like the original website, from top -favicon- to bottom. In this way we may find the IP of these phishing websites and report them.

source of the photo: https://dinahosting.com/blog/que-es-un-favicon/

Services like Shodan calculate and let us search MurmurHash values for all favicons. In this way it can be pretty easy to find specific services and devices.

Ok lets explain it with an example:

1- first we need a favicon. As you know to get Favicon’s url, we can get it by inspect element or check “View Page Source” of a website and look for “favicons”, for example:

Click the link and there will be a favicon: https://en.wikipedia.org/static/favicon/wikipedia.ico

2- Now we need it’s hash. In order to get the favicon’s hash we can use services like faviconhash.com, although there are python scripts too. I got it through the online service- unfortunately “faviconhash.com” it’s not up anymore. So you should use the python script.

and the result is: 857403617

3- OK, so far so good. now we are going to use Shodan and it’s filters for searching this hash: — You need to login to your shodan’s account.

http.favicon.hash:NUMBER

and the result is:

As you see there are more than 800 websites that are using the same Favicon. We can now use other filters to find suspicious websites, for example:

http.favicon.hash:857403617 product:"Apache httpd"

You can learn more about Shodan filters from here , for example check this filter for the real example:

http.favicon.hash:------- hostname:------ http.html:login

I just used Wikipedia to explain this method. I mean, I was not going to find nothing suspicious :) Try this method on real examples, like your org’s websites, or websites that you are working on them at the bug bounty programs.

Like what I did for “Ziraat Bank” (a bank in Turkey), and look what I have found:

one of them:

I hope you find this article useful.

This is the way.