Skip to main content

Unmasking phishing pages: the power of favicon hunting

Phishing attacks continue to be a pervasive threat in the realm of information security, targeting individuals and organizations alike. As specialized professionals in the field, it is essential to stay updated on the latest phishing trends and techniques. This article presents an overview of the most abused favicons in the urldna database.

understanding favicons as phishing indicators:

Favicons, the small icons associated with websites, play a crucial role in phishing detection. Attackers often replicate legitimate favicons to create deceptive phishing pages, aiming to trick users into believing they are interacting with trusted websites. By familiarizing ourselves with commonly abused favicons, we can enhance our ability to identify and combat phishing attempts effectively.

Based on an analysis of recent phishing campaigns, the following chart showcases the top 10 abused favicons in our databases:

FaviconAbused BrandPhash
ImageM&T Bankaa54d5af2e90417d

All product names, logos, brands, trademarks and registered trademarks are property of their respective owners.

How to search for a Favicon on urldna:


In order to find website in urldna database that have a specific favicon you can use this query:

favicon: Favicon hash

It's important to note that the hash is phash.
Here also a quick script in python that you can use to calculate the phash of a favicon:

from PIL import Image
import imagehash

# Load the image
image_path = 'path_to_image.jpg'  # Insert the image path here
image =

# Calculate the pHash
phash = imagehash.phash(image)

# Print the pHash
print("pHash:", phash)

You can use the hash that you obtain to query for results on urldna database.

Happy Hunting!!

Photo by Philipp Katzenberger on Unsplash


Popular posts from this blog

Guide to Using the Search Function on

The search function on allows you to find specific information about URLs or domains using either a direct search or a custom query language. This guide will walk you through the process of using the search function effectively. You can click on the magnifying glass icon next to each attribute to search for that value. Direct Search To perform a direct search, simply type the word that you want to search directly into the search bar. Example:  example  will find all the submitted urls that cointain example. Custom Query Language The Custom Query Language allows you to perform more specific searches using attributes, operators, and values. The basic structure of a Custom Query Language search is:  ATTRIBUTE OPERATOR VALUE Available Attributes The following attributes can be used in the Custom Query Language searches: domain : Scan a domain submitted_url : Submitted URL category : Page category target_url : Redirected URL device : Device type (MOBILE or DESKTOP) user_agent : W