Image for post
Image for post

Companies: please stop using free URL shorteners (especially for PII forms)!

The free URL shortener is a convenient internet feature that frequently goes against basic tenets of information security training: only click links that you recognize, are expected to receive, and are owned by a company or service you trust. Despite this, popular free link shortening services process millions of new links and clicks every month.

Don’t get me wrong: URL shorteners are definitely useful and can be very safe when used properly (more on that later). They make links more manageable to type for the rare time you need to give someone printed information, provide link tracking and analytics services, and are sometimes even catchy. However, the design of free URL shortening services is easily abusable, especially when these links are to be visited at scale or by customers of an industry that processes personally identifiable information (PII).

A letter from CVS

It turns out that even the most prominent companies aren’t immune from the temptation of using URL shorteners in their marketing and sales campaigns. I decided to switch health insurance providers a few weeks ago and received a perplexing letter from CVS, one of the biggest retail and pharmacy companies in the US, in the mail a few days later.

Image for post
Image for post
A postcard I received from CVS

I immediately noticed CVS’s use of the Bitly URL shortener. While arguably the most popular free URL shortener available, Bitly is also the most commonly abused. My concern with CVS’s use of Bitly is that they use it to direct customers to sign up for their Caremark prescription and medication service. Visiting the link above redirects to the sign-up website specifically for mail recipients: https://www.caremark.com/wps/portal/ECHC_DIGITAL_CARD.

Image for post
Image for post
The CVS Extracare sign-up website

Clicking through the prompt asks members to divulge various information, including their name, street address, date of birth, insurance member ID, and much more.

Great for phishing

So, what would happen if one of the probably million-or-so customers that CVS has been sending these postcards out to for who-knows-how-long mistyped that Bitly link? I tried to visit https://bit.ly/xtracarehealth. This URL replicates an easy mistake where the user leaves off the first letter in the link (but is also a common spelling of the word “extra” when used as part of a company brand or trademark).

Image for post
Image for post
The Bitly 404 page

Behold, CVS didn’t consider that someone might mistype their short URL, and as such, left all 305 common spelling mistakes of extracarehealth available to be registered on Bitly.

How do I know that? Because I wrote a script to register all of them!

Image for post
Image for post
Bitly Typos

Bitly Typos

Over the next few days, I wrote a script using Python and the Bitly API to calculate and register the most common typos for almost any Bitly link. I decided to call my project Bitly Typos (so creative, I know — if anyone can think of a better name, feel free to send it my way).

Typo generation

The script begins by splitting the bit.ly/ portion of a provided URL from the Bitly ID, which is the string of case-sensitive letters, numbers, and a few special characters like - and _ that identifies a Bitly link and redirect it to a new location.

I accounted for the typos in the list below. While I realize this certainly won’t get every possible typo a user could make (someone could theoretically mistype extracarehealth as rbutbnirndeluwp, after all), it should get the most common ones by far. I also had to assume that the user would make only one error per generated URL for the sake of it not taking forever to create and register them. Maybe the multi-typo generation feature will come if I decide to make a future version, or if anyone would like to contribute it.

  • Skipped letters — Exactly as it sounds. Turns extracarehealth into xtracarehealth, etracarehealth, exracarehealth, and so on.
  • Double letters — Performs the opposite of skipped letters. Turns extracarehealth into eextracarehealth, exxtracarehealth, etc.
  • Reversed letters — Swaps the position of two letters. extracarehealth might become xetracarehealth, for example.
  • Missed keys — This one was a bit more complicated. I couldn’t think of a quick way to create a 2D array naturally aligned with multiple keys above and below a single key (although there probably is one), so I just made a mapping of them. Each mapping first uses the key to the immediate left, if it’s a letter or number, and generates URLs counterclockwise from there. For the e in extracarehealth, this would become wxtracarehealth, 3xtracarehealth, and so in with 4, r, f, d, through s. The cycle repeats with each letter in the word.
  • Inserted keys — Once again, the opposite of missed keys. Re-using the above example, each of the substitutes for e would be inserted before and after it (wextracarehealth, ewxtracarehealth, and so on for each combination and letter in the string), I also tried to account for the accidental insertion of capital letters.

Link generation

After generating the list of Bitly IDs, I used Bitly’s API to link them to https://www.caremark.com/wps/portal/ECHC_DIGITAL_CARD. Strangely, Bitly doesn’t allow you to request a direct conversion — you have to generate the short link and then customize the short link to be the desired string. The process isn’t a problem to automate, though.

Putting it all together

In the end, 302 of the 305 links I attempted to generate were available. Over the next week and a half, I periodically checked the number of clicks my links were receiving. Unfortunately, there’s no way to compare it to the number of clicks that the actual extracarehealth link received as Bitly doesn’t publish other users’ statistics. Nor do they allow you to view which custom short links for a URL generated the most clicks — it only sorts by long URL.

Image for post
Image for post
The number of clicks received per day (without a scale, because Bitly doesn’t provide one). January 12th received 13 clicks.

However, I received around 120 total clicks during this period. I didn’t get as many as I expected, but at least it means my method for generating typos is reasonable. It also only takes two or three victims to make a scam like this profitable due to the ease and inexpensive nature of phishing kits and the worth of PII. Three is well under the number of potential victims that visited my links in only a week and a half, so I assume such a phishing campaign would be moderately successful.

Image for post
Image for post
The Social Engineering Toolkit (SET), from TrustedSec

What I could’ve done

In the example above, I registered and redirected 302 of the most common typos for https://bit.ly/extracarehealth to the actual Extracare website like CVS intended. But what if I wasn’t this good-natured?

I could have easily used a tool such as the Social Engineering Toolkit (SET) by TrustedSec to clone and harvest data from the various fields of the Extracare site. I even demonstrated how easy this is to accomplish a few years ago — on a bank login page as part of a network security project for my Network Services class. All an attacker would need to do is find and purchase a similar domain name to Extracare, CVS, Caremark, or any variant of these words and typosquat on it.

Image for post
Image for post
A fake Extracare site is running in the Social Engineering Toolkit (SET). Note the IP address (127.0.0.1) instead of the caremark.com URL and the harvested data in red in the terminal.

To be fair, CVS or any other company can be impersonated via typosquatting independently of the URL shortener issue. Still, a phishing scheme’s success rate is always higher when the targeted company itself provides the bait (in this case, the Caremark postcard). Users that receive a legitimate mailing from CVS with their name, insurance plan, and address already identified are far more likely to blindly trust the rest of the sign-up process if they don’t notice that they made a typo, especially if they are new to the service and don’t know what to expect.

Image for post
Image for post
A branded link!

What CVS should have done

Any large company, but especially those that collect and store PII, such as CVS, should not use public URL shorteners. But you still want to shorten links, you say? Use a branded link!

Branded links, such as those available through Bitly Basic, Bitly Enterprise, or any other URL shortening service, provide the same features as normal URL shorteners except that they are private. Only the company and other authorized parties are allowed to generate links using a branded link’s domain. Any unregistered (or typo’d) links received at this domain will be redirected to the official company website.

Even I use Cuttly, a competing and slightly cheaper service to Bitly, to shorten links on my website. If I can afford my own branded link, there is no doubt that a multi-million dollar company such as CVS can spare the expense to protect its users' security.

Image for post
Image for post
Part of a LabCorp Pixel COVID-19 self-test instruction sheet

Bonus: Unfortunately commonplace!

I found another health company using Bitly to shorten its links while writing this article. Earlier this week, I was quarantining after traveling back to RIT per the New York State COVID-19 travel guidelines. The second COVID test that I took in order to be released was a mail-in kit by LabCorp, a diagnostic medical company. They are using Bitly to shorten a link to FedEx’s dropoff locations. I wonder what information scammers could obtain by posing as LabCorp or FedEx when users visit a typo’d variant of this URL?

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store