Follow the favicon - a short lesson in brand theft


May 11, 2021

Impersonation and brand identity theft are the first step of a successful phishing campaign. If a malicious actor can impersonate a domain-based brand with enough rigour to convince an unsuspecting visitor of their validity, they stand a much greater chance of being able to persuade that visitor to hand over their valuable data such as personal or payment details.  

There are a wide range of elements that contribute to an identities brand, but one often under-appreciated element is the humble favicon that primarily appears in the tab of your web browser. 

 

Logo, company name
Description automatically generated with medium confidence  

Why are favicons so interesting from a Digital Risk Protection perspective?

Like any other elements of a companies brand, a favicon is a unique and easily identifiable to a viewer. If this is replicated accurately the bad actor stands a greater chance of convincing the viewer that the site is authentic, and therefore tricking them into certain, negative, behaviour.

Let’s take Apple as an example: 


The immediately recognisable icon reassures the visitor they’ve landed where they expected to. But where else does this favicon appear? Spot the odd one out. 

Text
Description automatically generated

There may be a perfectly good reason why “mhero” are using Apples favicon, but it could be that what we see here is the theft of a trademarked brand with the intention of impersonation 

How can Darkbeam help?

We have created functionality that enables our customers to look for favicon theft and misuse. This is currently available to our API clients and will soon be launched in our SaaS platform. For more information about our favicon functionality please get in touch with a member of the team. 

Jet White