Google macro phishing mail.

[DAG ARNE]

I received what appear to be a phishing mail I thought for a second it was a legit mail and clicked the link.  I could not se what it did or if it installed anything on my pc. I think it run something very fast.

Can someone tell me what happened or should happen when i clicked the link. 

Is this a macro that installed something on my computer or is it a link to a site?

I have checked with google, reddit and pchelpforum. No one answers.

https://script.google.com/macros/s/scriptid/someid

Script id is:  ...4OwWosF3KuKC0Es/

Someid is: exec?ZGFzdmVuQG9ubGluZS5ubw==

[Andrew Roberts]

I'm not aware of any way you can find out the Apps Script from the web app URL.

[Alan Wells]

An Apps Script program can't run from your account or run under your authority without you authorizing permission for the script to run.

If you authorized a script to run, then that script is listed in your account security at:

APPS WITH ACCESS TO YOUR ACCOUNT:

https://myaccount.google.com/permissions?continue=https%3A%2F%2Fmyaccount.google.com%2Fsecurity

You can remove access to your account by clicking on the app and clicking the Remove Access button.

We can't tell you what happened without seeing the code, and we can't see the code without permission to edit the Apps Script file.

If you are concerned about your account being hacked, then change your password immediately.

Also change the password to any account that is the contact account for the account.

[Martin Hawksey]

The someid is a base64 encoded string. These are straight forward to decode as they are not encrypted. They are often used to obscure email addresses as some firewalls will automatically block websites that contain emails in the link. You can decode the bit after exec? on sites like https://www.base64decode.org/ - this might help you know if one of your accounts has been targeted and revoke access as AJ suggests   

[DAG ARNE]

Thanks for your help, could this script simply be to verify that my email was a valid adress or is it a more sinister script?

What is this line of code? 4OwWosF3KuKC0Es

yes, i see that my email is obscured when I decode the bit after exec. I did not find any accounts to revoke access to.

[Alan Wells]

The Apps Script code doesn't need access to your account to run on the owners account for their purposes.

I don't know of any way that the script could do anything sinister to you without you granting authorization to your account, so you don't have anything to worry about. If you subscribed to getting emails then you should be able to unsubscribe if they send an email. If you can't unsubscribe they you can mark an email as spam.

[Javed Baloch]

Hello All,

I have receive a similar link, with a follow message,
"For you a letter You have a new transfer of funds, you need to withdraw them

Further manual in the attached link:"

I have refrained from clicking on it, becoz it does not look good.

[AlmarRido]

Just got a notification about this on my phone, clicked on the notification and the macros script ran in the background and nothing really happened. An hour later i get a notification to confirm purchase of google play gift card and that my account has been accessed from india. Google needs to take serious action!!!

[Jimmy Joe]

I have accidentally clicked on the notification as well. How can I check if my account is clean or not?

[Loris]

my dad opened an email, they wanted to share a google drive or docs file with him, then he opened a link that led to a google docs site, on this page there was a google macro script link, the problem is that I don't know if he clicked on it, does it stay in chrome history if you click on a link like that?

[Félix De Portu]

I encountered this in my email. Can a script.google.com/macros page run malicious code on your computer by just opening the page? Even if I didn't click anything?

This thread is literally the only thing I can find on this phishing method, how is this issue not documented anywhere else? I can't possibly be the only one. 

[Elissa Snyder]

I have received numerous emails, a few variations, I am surprised that there has not been any follow up from google. Clearly this has been an issue for years.

[Eighties Seeker]

I was trying to construct a valid URL of this scammer and load it into the browser but failed.

Sure I get these too and loved clicking on links in spam mails, but that'll confirm that I read it (to get more scam). So I rather try to find other people's URLs. :-D

Anyway I was lucky the other day. But instead of a fake page to enter some credentials for Norton or what ever virus scanner company they claim to be, it forwarded me to a dating page. There I finally could enter some (not mine) credentials.

While I usually can get past the scammers credit card number validity test with some random generated numbers, the scammer's bank or merchant rejected it. But at least I could figure out who that merchant is.

Btw. in case of one of the Ukraine or Russian "Canadian Pharmacy" scammers it's apisales.24.com (protected by Cloudflare) in case someone want to block that. Blocking this URL globally might remove one of this spammer's payment processors.

Anyway I'd hope Google would remove these URLs when reported, But they seem not to.