Skip to main content

Unmasking phishing pages: the power of favicon hunting

Phishing attacks continue to be a pervasive threat in the realm of information security, targeting individuals and organizations alike. As specialized professionals in the field, it is essential to stay updated on the latest phishing trends and techniques. This article presents an overview of the most abused favicons in the urldna database.

understanding favicons as phishing indicators:

Favicons, the small icons associated with websites, play a crucial role in phishing detection. Attackers often replicate legitimate favicons to create deceptive phishing pages, aiming to trick users into believing they are interacting with trusted websites. By familiarizing ourselves with commonly abused favicons, we can enhance our ability to identify and combat phishing attempts effectively.

Based on an analysis of recent phishing campaigns, the following chart showcases the top 10 abused favicons in our databases:

FaviconAbused BrandPhash
ImageM&T Bankaa54d5af2e90417d

All product names, logos, brands, trademarks and registered trademarks are property of their respective owners.

How to search for a Favicon on urldna:


In order to find website in urldna database that have a specific favicon you can use this query:

favicon: Favicon hash

It's important to note that the hash is phash.
Here also a quick script in python that you can use to calculate the phash of a favicon:

from PIL import Image
import imagehash

# Load the image
image_path = 'path_to_image.jpg'  # Insert the image path here
image =

# Calculate the pHash
phash = imagehash.phash(image)

# Print the pHash
print("pHash:", phash)

You can use the hash that you obtain to query for results on urldna database.

Happy Hunting!!

Photo by Philipp Katzenberger on Unsplash


Popular posts from this blog

Unleash the Power of Brand Monitoring

We're thrilled to unveil our latest feature that puts you in control – brand monitoring! This groundbreaking function is designed to empower our registered users to keep a vigilant eye on their brand effortlessly. The best part? It's absolutely free for all our registered members. Start your monitoring today on How It Works: Monitoring your brand is now a breeze with just a few simple steps. All you need are a few essential elements: Rule Name: Give your monitoring rule a catchy and memorable name. For instance, let's create a rule for the urlDNA brand – "urlDNA Monitoring Magic." Brand Assets: Provide us with the visual identity of your brand. Upload screenshots, logos, favicons – everything that defines your brand's unique essence. Watch as our advanced algorithm scours our extensive database to pinpoint occurrences related to your brand. Keywords: Supercharge your monitoring by adding relevant keywords. For our urlDNA example, include &quo

Guide to Using the Search Function on

The search function on allows you to find specific information about URLs or domains using either a direct search or a custom query language. This guide will walk you through the process of using the search function effectively. You can click on the magnifying glass icon next to each attribute to search for that value. Direct Search To perform a direct search, simply type the word that you want to search directly into the search bar. Example:  example  will find all the submitted urls that cointain example. Custom Query Language The Custom Query Language allows you to perform more specific searches using attributes, operators, and values. The basic structure of a Custom Query Language search is:  ATTRIBUTE OPERATOR VALUE Available Attributes The following attributes can be used in the Custom Query Language searches: domain : Scan a domain submitted_url : Submitted URL category : Page category target_url : Redirected URL device : Device type (MOBILE or DESKTOP) user_agent : W