Google’s App Engine proxies HSBC site

Update April 17, 2011: Based on some feedback received offline, I would like to clarify: inetbrowse is a proxy, available on the Google App Engine. In other words, anything can be proxied through it. I did not mean to imply that Google was knowingly hosting a phishing site.

The intention with the post below was to highlight our original understanding – that the whole HSBC site had been copied for phishing purposes. Indeed the site below is flagged by nine phishing feeds as being a phishing site. In this case however, the proxy simply transfers content from the actual HSBC site and seemingly poses no threat. Users should be still be wary though – since the coder of any proxy or anonymizer could simply copy login information that passes through. The title of the post has been modified to more accurately reflect the situation.

Original Post 

Heard of the Google App Engine? 

In their own words: “Google App Engine lets you run your web applications on Google’s infrastructure. App Engine applications are easy to build, easy to maintain, and easy to scale as your traffic and data storage needs grow. With App Engine, there are no servers to maintain: You just upload your application, and it’s ready to serve your users.

You can serve your app from your own domain name (such as http://www.example.com/) using Google Apps. Or, you can serve your app using a free name on the appspot.com domain. You can share your application with the world, or limit access to members of your organization.”

But as they say “the road to phishing is paved with free services”

So let’s reword the above: “Google App Engine lets you run your phishing site on Google’s infrastructure. Simply make a full copy of your favorite banking site (such as HSBC) and upload it as an app. Your fake HSBC site is easy to scale as your traffic and phished data storage needs grow. With App Engine, there are no servers to maintain: You just upload your copied banking site (HSBC.com), modify the post details so that you (the phisher) can collect user login credentials and it’s ready to serve your phishing purposes.

You can serve your phishing site using a free name on the “appspot.com” domain (http://inetbrowse.appspot.com/www.hsbc.co.uk). You can share your phishing site with the world – don’t limit access at all!”