Listen to this Post
After developing a proof-of-concept for brand monitoring using the VirusTotal API, Maurice Fielenbach is finalizing a tool that tracks domains using a targetās favicon hash. This method helps detect phishing campaigns where attackers reuse stolen favicons to deceive users. The tool monitors high-value targets like Microsoft, DHL, and Netflix via a JSON-configured script running multiple times daily.
You Should Know:
1. How Favicon Hashing Works
Favicons have unique hashes (e.g., SHA-256). Attackers often reuse them in phishing sites. Extract a faviconās hash and compare it against VirusTotalās database:
Get favicon hash (Linux) curl -s https://target.com/favicon.ico | sha256sum
2. Automating VirusTotal API Queries
Use VirusTotalās API to search for domains sharing a favicon hash:
import requests
api_key = "YOUR_VIRUSTOTAL_API_KEY"
favicon_hash = "TARGET_FAVICON_HASH"
url = f"https://www.virustotal.com/api/v3/files/{favicon_hash}/domains"
headers = {"x-apikey": api_key}
response = requests.get(url, headers=headers)
print(response.json())
3. JSON Configuration for Monitoring
Create a `config.json` to define monitoring targets:
{
"targets": [
{"name": "Microsoft", "domain": "microsoft.com"},
{"name": "DHL", "domain": "dhl.com"}
],
"scan_frequency": "6h"
}
4. Scheduling Scans with Cron
Run the script periodically via `cron`:
Edit crontab crontab -e Add this line to run every 6 hours 0 /6 /usr/bin/python3 /path/to/monitor_script.py
5. Detecting Malicious Domains
Parse VirusTotalās response for suspicious domains and log them:
for domain in response.json()["data"]:
if domain["attributes"]["last_analysis_stats"]["malicious"] > 0:
print(f"Phishing alert: {domain['id']}")
6. Windows PowerShell Alternative
For Windows users, fetch favicons via PowerShell:
(Invoke-WebRequest -Uri "https://target.com/favicon.ico").Content | Get-FileHash -Algorithm SHA256
What Undercode Say
Favicon-based detection is a powerful but underutilized method in threat hunting. Combining this with automated API queries and scheduled scans creates a proactive defense against phishing. Extend this by integrating with SIEMs (e.g., Splunk, ELK) or blocking malicious domains via firewalls. Always validate findings to avoid false positives.
Expected Output:
- A log file listing domains with matching favicon hashes.
- Alerts for domains flagged as malicious in VirusTotal.
- Automated reports (e.g., CSV, JSON) for further analysis.
Relevant URLs:
References:
Reported By: Mauricefielenbach Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ā
