Hello again! In this iteration of Cool Query of the Week, we’ve got a query that can find web properties that may be attempting to impersonate Facebook login pages. This is accomplished by looking for the phrase “Facebook - log in or sign up” in HTML titles on web properties that are not accompanied by a legit facebook favicon.

web.endpoints.http.html_title: "Facebook - log in or sign up" and not web.endpoints.http.favicons.hash_sha256: {88ae5454a7c32c630703440849d35c58f570d8eecc23c071dbe68d63ce6a40d7, 8924f44d76426a340b105cbdc5b93678c6b772e847b393f2568d94847c0d8d80}

As a reminder, you can convert any of the old queries using Censys Search Language shown in the CQOTW series using the Platform’s built-in query converter.