The Role of Favicons in Website OSINT Research

Favicon Overview

Favicons on websites are graphic elements that appear as small icons, found in browser tab panels next to the website’s name or in bookmarked links. They can also be viewed from Google search by placing a website’s name in quotation marks, for example, “osintme.com”. To locate links to favicons on specific websites, view the webpage’s source code by right-clicking, selecting ‘view page source’, and using the ‘search/find in a page’ function (Ctrl + F) to look for the following values:

  • File extensions such as .jpg, .png, .gif, .ico. The .ico format is still frequently encountered despite being traditional. Searching for these may return multiple images, not just the favicon, in graphically rich websites.
  • Sizes, which helps find image files with defined pixel sizes. Favicons typically need specific sizes to fit browser tabs and bookmarks. Traditional size is 16×16 pixels, with 32×32 and 64×64 pixels also common. Larger sizes cater to devices like mobiles and smart TVs.
  • rel=”icon”, a parameter that defines the image used as a favicon, often the quickest search value.

Favicon Types & Sizes

Favicons are used in various devices and settings:

  • Regular desktop browser favicon – 16×16 pixels
  • Taskbar shortcut icon – 32×32 pixels
  • Desktop shortcut icon – 96×96 pixels
  • Google TV – 96×96 pixels
  • iPhones – 120×120; 180×180 pixels
  • iPads – 152×152; 167×167 pixels
  • Chrome web store icon – 128×128 pixels
  • Android Chrome icon – 196×196 pixels

Additional Use Cases

Favicons offer several benefits beyond OSINT research:

  • Optimized browser tab navigation
  • Enhanced user experience on the web
  • Improved search engine optimization (SEO) for websites
  • Brand recognition and reputation building
  • Browser activity tracking, as noted by Vice and Bruce Schneier

Favicon Examination in OSINT

In phishing campaign investigations, favicons can be crucial. Fraudulent sites often copy favicons from the original sites they impersonate to appear legitimate. The goal of favicon research is to identify such rogue websites. Updated tools for 2025 include:

  • Favicone: An API service for easily retrieving favicons from websites.
  • Favicon Grabber: Similar functionality, though slightly less reliable than Favicone.
  • Favihash: Calculates favicon hash values across clearnet/darknet sites, aiding in identifying sites with the same hash.
  • Favicon-hash: Generates hash values that are searchable on platforms like Virus Total, Shodan, and Censys.

Practical Application

Consider an investigation of fake websites impersonating Amazon UK, possibly involved in phishing or spam distribution. First, locate the Amazon UK favicon. Then, calculate its hash values using one of the mentioned tools:

Using Shodan and Censys, you can search for the favicon’s hash value (1941681276) and md5 hash (ca6619b86c2f6e6068b69ba3aaddb7e4), revealing legitimate Amazon services. However, filtering by risky regions like Russia can expose impostor sites:

These sites are flagged by Virus Total for malicious activities. Exploring the IP address 89.23.100.153 with Shodan also uncovers a fake site involved in an “Amazon Gift Card Giveaway” scam, evidenced by Censys results. By tracking different favicon hashes like -1255845316, more connected fraudulent sites can be discovered, aiding further research on parameters like registration timelines and hosting providers.