FAVICON OVERVIEW
Favicons on websites are graphic elements that show up in the form of a small icon – be it in a browser tab panel next to the website’s name, or in bookmarked links to websites.
You can also see favicons from the level of Google search, if you wrap a website’s name in quotation marks, such as seen in the search results below:
Links to favicons on specific target websites can be located by viewing the webpage’s source code. To do so, go: right click > view page source > search / find in a page function (typically Ctrl + F) and then search for one or more of the following values:
- file extension – for example .jpg, .png, .gif, .ico – traditionally, the dominant favicon file format has been .ico (“icon file”) and it still is frequently encountered, but you also have the commonly recognised image file extensions. The drawback of this approach to source code searching is that in a graphically rich website it will return multiple images that were embedded in it – not just the favicon.
- sizes= – searching for this value will allow you to return image files with a defined pixel size – favicons typically have specific sizes, for obvious reasons of fitting into browser tabs and bookmarks. Traditional favicon size is 16×16 pixels, but baseline sizes of 32×32 and 64×64 pixels are also relatively common nowadays. Larger favicon sizes usually cater to mobile devices, smart TVs, etc.
- rel=”icon” – you are searching for a parameter that defines the image used as a favicon. Often this might be the quickest and the most convenient search value to go for.
FAVICON TYPES & SIZES
- Regular desktop browser favicon – 16×16
- Taskbar shortcut icon – 32×32
- Desktop shortcut icon – 96×96
- Google TV – 96×96
- iPhones – 120×120; 180×180
- iPads – 152×152; 167×167
- Chrome web store icon – 128×128
- Android Chrome icon – 196×196
Favicons have several use cases, unrelated to our use case of website OSINT.
The most common of those include:
- Optimised browser tab navigation
- Better user experience in browser and on the web
- Increased search engine optimization score (SEO) for a website
- Brand recognition & reputation building
- Browser activity tracking – see this Vice article and a blog post by Bruce Schneier.
FAVICON EXAMINATION
As I previously mentioned in a blog post on investigating phishing campaigns from several years ago: in the case of fraudulent websites, a favicon is often copied or directly linked from the original page that is being impersonated, in order to bolster the impression of legitimacy.
The most obvious aim of favicon research in this case is to identify rogue websites that impersonate legitimate entities. Sadly, some of the tools used in the last example no longer work – so here’s a new set of investigative resources for 2025 – and hopefully beyond.
Favicone – an API service that allows you to easily retrieve and serve favicons from any website. You basically insert the website name into the URL and should get a result immediately. Favicone also offers a quick explainer on what potential issues that might arise and why.
Favicon Grabber – similar idea and functionality as above – you append your target domain to the base URL. Subjectively, I found this tool slightly less reliable than Favicone, but it’s good to have a backup just in case.
Favihash – this new tool for Predicta Labs does more than the above two. It allows you to calculate a favicon hash value across the clearnet / darknet sites and then identify other websites that share the same hash value. Favihash accepts inputs both from a URL and from a local machine. Hashes generated this way can later be searched against on services like Virus Total, Shodan, etc.
Favicon-hash – like Favihash, this tool allows users to upload a favicon image or work off a URL input with a favicon to generate hash values that are searchable on Virus Total, Shodan and Censys.
If for whatever reason you don’t want to use web-based tools, you can check out Favicorn and Favihunter. Both of these will require local installation and will run from the command line; they require a bit more work to set up, but they offer more insights in terms of hash value varieties.
PRACTICAL APPLICATION
Let’s imagine we are investigating fake websites impersonating Amazon UK – or websites involved in phishing campaigns or spam distribution that pose as said entity.
The first step would be to locate the favicon on the Amazon UK website – which is pretty straightforward:
https://www.amazon.co.uk/favicon.ico
Then we calculate the hash values using one of the tools mentioned above…
From there we can initiate a search for the favicon hash value 1941681276 and md5 hash value ca6619b86c2f6e6068b69ba3aaddb7e4 with both Shodan and Censys.
You can see multiple legitimate websites and IP addresses associated with various Amazon services. However, the moment you filter the search results by country and head over to the high risk ones like russia, you get several hits like these:
It appears that the above websites are already on the radar – see the Virus Total detections for the domains – Malicious, Spam and Phishing:
Additional exploration of IP address 89.23.100.153 with Shodan (warning, malicious alert!) results in a hit for a similar Amazon-themed fake website, involved in an “Amazon Gift Card Giveaway” scam – see the Censys results here.
You can pivot quickly from it because we just found another favicon to focus on:
Pulling these threads usually results in discovering multiple connected websites that can then be researched against various other parameters like registration timelines, hosting providers, technology stacks and more.