Companies: please stop using free URL shorteners (especially for PII forms)!
I created a tool to identify and generate common typos for popular Bitly links to prevent them from being used by scammers.
The free URL shortener is a convenient internet feature that frequently goes against basic tenets of information security training: only click links that you recognize, are expected to receive, and are owned by a company or service you trust. Despite this, popular free link shortening services process millions of new links and clicks every month.
Don’t get me wrong: URL shorteners are definitely useful and can be very safe when used properly (more on that later). They make links more manageable to type for the rare time you need to give someone printed information, provide link tracking and analytics services, and are sometimes even catchy. However, the design of free URL shortening services is easily abusable, especially when these links are to be visited at scale or by customers of an industry that processes personally identifiable information (PII).
A letter from CVS
It turns out that even the most prominent companies aren’t immune from the temptation of using URL shorteners in their marketing and sales campaigns. I decided to switch health insurance providers a few weeks ago and received a perplexing letter from CVS, one of the biggest retail and pharmacy companies in the US, in the mail a few days later.
I immediately noticed CVS’s use of the Bitly URL shortener. While arguably the most popular free URL shortener available, Bitly is also the most commonly abused. My concern with CVS’s use of Bitly is that they use it to direct customers to sign up for their Caremark prescription and medication service. Visiting the link above redirects to the sign-up website specifically for mail recipients: https://www.caremark.com/wps/portal/ECHC_DIGITAL_CARD
.
Clicking through the prompt asks members to divulge various information, including their name, street address, date of birth, insurance member ID, and much more.
Great for phishing
So, what would happen if one of the probably million-or-so customers that CVS has been sending these postcards out to for who-knows-how-long mistyped that Bitly link? I tried to visit https://bit.ly/xtracarehealth
. This URL replicates an easy mistake where the user leaves off the first letter in the link (but is also a common spelling of the word “extra” when used as part of a company brand or trademark).
Behold, CVS didn’t consider that someone might mistype their short URL, and as such, left all 305 common spelling mistakes of extracarehealth
available to be registered on Bitly.
How do I know that? Because I wrote a script to register all of them!
Bitly Typos
Over the next few days, I wrote a script using Python and the Bitly API to calculate and register the most common typos for almost any Bitly link. I decided to call my project Bitly Typos (so creative, I know — if anyone can think of a better name, feel free to send it my way).
Typo generation
The script begins by splitting the bit.ly/
portion of a provided URL from the Bitly ID, which is the string of case-sensitive letters, numbers, and a few special characters like -
and _
that identifies a Bitly link and redirect it to a new location.
I accounted for the typos in the list below. While I realize this certainly won’t get every possible typo a user could make (someone could theoretically mistype extracarehealth
as rbutbnirndeluwp
, after all), it should get the most common ones by far. I also had to assume that the user would make only one error per generated URL for the sake of it not taking forever to create and register them. Maybe the multi-typo generation feature will come if I decide to make a future version, or if anyone would like to contribute it.
- Skipped letters — Exactly as it sounds. Turns
extracarehealth
intoxtracarehealth
,etracarehealth
,exracarehealth
, and so on. - Double letters — Performs the opposite of skipped letters. Turns
extracarehealth
intoeextracarehealth
,exxtracarehealth
, etc. - Reversed letters — Swaps the position of two letters.
extracarehealth
might becomexetracarehealth
, for example. - Missed keys — This one was a bit more complicated. I couldn’t think of a quick way to create a 2D array naturally aligned with multiple keys above and below a single key (although there probably is one), so I just made a mapping of them. Each mapping first uses the key to the immediate left, if it’s a letter or number, and generates URLs counterclockwise from there. For the
e
inextracarehealth
, this would becomewxtracarehealth
,3xtracarehealth
, and so in with4
,r
,f
,d
, throughs
. The cycle repeats with each letter in the word. - Inserted keys — Once again, the opposite of missed keys. Re-using the above example, each of the substitutes for
e
would be inserted before and after it (wextracarehealth
,ewxtracarehealth
, and so on for each combination and letter in the string), I also tried to account for the accidental insertion of capital letters.
Link generation
After generating the list of Bitly IDs, I used Bitly’s API to link them to https://www.caremark.com/wps/portal/ECHC_DIGITAL_CARD
. Strangely, Bitly doesn’t allow you to request a direct conversion — you have to generate the short link and then customize the short link to be the desired string. The process isn’t a problem to automate, though.
Putting it all together
In the end, 302 of the 305 links I attempted to generate were available. Over the next week and a half, I periodically checked the number of clicks my links were receiving. Unfortunately, there’s no way to compare it to the number of clicks that the actual extracarehealth
link received as Bitly doesn’t publish other users’ statistics. Nor do they allow you to view which custom short links for a URL generated the most clicks — it only sorts by long URL.
However, I received around 120 total clicks during this period. I didn’t get as many as I expected, but at least it means my method for generating typos is reasonable. It also only takes two or three victims to make a scam like this profitable due to the ease and inexpensive nature of phishing kits and the worth of PII. Three is well under the number of potential victims that visited my links in only a week and a half, so I assume such a phishing campaign would be moderately successful.
What I could’ve done
In the example above, I registered and redirected 302 of the most common typos for https://bit.ly/extracarehealth
to the actual Extracare website like CVS intended. But what if I wasn’t this good-natured?
I could have easily used a tool such as the Social Engineering Toolkit (SET) by TrustedSec to clone and harvest data from the various fields of the Extracare site. I even demonstrated how easy this is to accomplish a few years ago — on a bank login page as part of a network security project for my Network Services class. All an attacker would need to do is find and purchase a similar domain name to Extracare, CVS, Caremark, or any variant of these words and typosquat on it.
To be fair, CVS or any other company can be impersonated via typosquatting independently of the URL shortener issue. Still, a phishing scheme’s success rate is always higher when the targeted company itself provides the bait (in this case, the Caremark postcard). Users that receive a legitimate mailing from CVS with their name, insurance plan, and address already identified are far more likely to blindly trust the rest of the sign-up process if they don’t notice that they made a typo, especially if they are new to the service and don’t know what to expect.
What CVS should have done
Any large company, but especially those that collect and store PII, such as CVS, should not use public URL shorteners. But you still want to shorten links, you say? Use a branded link!
Branded links, such as those available through Bitly Basic, Bitly Enterprise, or any other URL shortening service, provide the same features as normal URL shorteners except that they are private. Only the company and other authorized parties are allowed to generate links using a branded link’s domain. Any unregistered (or typo’d) links received at this domain will be redirected to the official company website.
Even I use Cuttly, a competing and slightly cheaper service to Bitly, to shorten links on my website. If I can afford my own branded link, there is no doubt that a multi-million dollar company such as CVS can spare the expense to protect its users' security.
Bonus: Unfortunately commonplace!
I found another health company using Bitly to shorten its links while writing this article. Earlier this week, I was quarantining after traveling back to RIT per the New York State COVID-19 travel guidelines. The second COVID test that I took in order to be released was a mail-in kit by LabCorp, a diagnostic medical company. They are using Bitly to shorten a link to FedEx’s dropoff locations. I wonder what information scammers could obtain by posing as LabCorp or FedEx when users visit a typo’d variant of this URL?