This story begins where most good stories start, the computer of a 31-year-old man from North Carolina. Living with his parents, he is looking for any way to make money by doing odd jobs. He cleans at the local school in his area while his mom works as a prosecutor for the local courts. This man goes by the alias Sammy and has been programming for nearly 12 years. A social outcast, he barely has the motivation to get a job and instead slips into the world of cybercrime. He starts small and begins finding ways to get free food at restaurants. His first gig begins with checking 100% off codes for the popular DIY food supplier, Marley and Spoon. Sammy sets up a small shop on the platform called Shoppy and begins to sell these codes for $4 each. The money starts flowing in. He gets high on the rush of his ever-increasing reputation and notoriety in the online fraud space. He sells hundreds of codes and gains a cult following who resell his products to the uninitiated. This soon becomes not enough for him; Sammy realizes he needs to step up his game. For nearly a month, he spends hours pouring over food sweepstakes and reading the conditions of companies return policies. Finally, he finds his soon to be jackpot: Chick-Fil-A.
This is 100% true and happened during the beginning of quarantine between May and April. All of the characters in this story have had their names changed for obvious reasons.
Now you may be wondering, what did he find with Chick-Fil-A? Surely a company that reputable wouldn’t have any low hanging fruit! Well, you’re right and wrong; what he found was actually incredibly simple. Sammy had found that Chick Fil A offered a free sandwich code on completion of a survey. However, to complete this survey, one needed a code that was printed at the bottom of your receipt.
At first glance, this seems to be a relatively randomly generated string of numbers. How could someone possibly get access to this? I had no clue how they would be able to brute force an 18 digit code. However, I soon realized that these codes were not random but generated with some straightforward steps. These steps are outlined below.
Analyzing multiple receipts from Chick-fil-As across the country (via Google Images) allowed us to determine (roughly) the pattern used for generating the “Serial Num” occasionally found near the bottom of the customer copy receipt (see example below).
Insecurities in their customer experience portal allow for these serial numbers to be verified as working in rapid succession. Once a serial number is proven as working, one can then use requests to do the heavy lifting of filling out the survey. The customer experience survey can be completed automatically (and auto-filled with the email you’d like to have your free sandwich voucher(s) sent to).
Example Serial Num: 6320106–01336–1109–0523–95
Sequence 1 (7-Digits)
Out of the first sequence of seven digits, the first three represent the last three digits of the Order Number, printed near the top of the customer copy receipt (in this case, the order number was 5222632).
The 4th and 6th digits of this first sequence will always be zero (6320106).
The 5th digit is assumed to be the revenue center (dine-in, carry-out, drive-thru); in this case, dine-in was represented by a 1 (printed below the date/time on the customer copy).
The 7th digit of this first sequence represents the register that the transaction was carried out on (printed above the cashier name on the customer copy), in this case, register 6.
Sequence 2 (5-Digits)
The five-digit number that makes up sequence two is simply the store number printed near the top of the receipt (in this case, #01336).
Sequence 3 & 4 (4-Digits Each)
Sequence 3 represents the transaction time (HH: MM), followed by the date that the transaction was made on (MM: DD).
Sequence 5 (2-Digits)
The first of the two digits is the last number of the year the transaction si made in (9, as of 2019).
What the second of the last two digits in this sequence represents has not yet been determined.
This pattern was full proof; all Sammy needed was some store id’s, and he could brute force his way to infinite chicken sandwiches. Sammy had just one problem, distribution. All chicken sandwiches were sent to an email specified when filling out the survey on mycfavisit. This would prove issues with selling platforms such as Shoppy, where he would need to find a way to sell the redeemable QR code’s image. So once again, Sammy needed to find a way around this. Over a week or so, Sammy pondered his options. He could do anything from building a basic IMAP client to making a discord or telegram bot to interface with his email. Finally, he fell on his solution; he would use the open-source mail IMAP client, squirrel mail. Squirrel mail would allow his customers to temporarily access the emails to redeem their codes. Now all Sammy needed to do was code.
Sometime in early December, Sammy finished the project, and his system seemed to finally work:
- He would check for valid serial codes using an RDP.
- RDP takes serials and completes the survey with them
- Mail server receives codes via email which are kept track of in database.
Now Sammy was ready to open to the public his new creation. He was elated with his nearly bulletproof idea. However, when the day came to release it, sales came in fairly slow. He had expected a large number of people to flock to his newly created sandwich emporium. He needed a new idea and fast. This was when Sammy thought to other illegal industries for advice.
Sammy could make $2 per code being the distributor of these codes, or he could make $0.75 per code selling in bulk to people who would distribute for him. Sammy chose the latter and began handpicking people he had met from his earlier ventures to distribute for him. New distributors of Chick-Fil-A chicken sandwich codes began popping up on every forum board, discord marketplace, and dark-web market. Buyers flocked in from everywhere, some buying 20–30 codes per day. Sammy began making $400 per day selling codes to his distributors for wholesale. He was constantly adding more and more features to his site, including a Cashapp payment processor, which he coded from scratch.
Now, this is where I step in during this story. During the beginning of quarantine, I was beginning doing some independent research on the online fraud industry. One day while scrolling through a forum board that I had frequented for research called nulled, I came across a Chick-Fil-A sandwich code shop. I found it incredibly interesting that people had found a way to get a free sandwich code and wanted to know more. That night I went back to the thread and added the seller via discord, where I was promptly met with a message asking if I was purchasing a sandwich code. I thought about my response for a while. How could I figure this out without giving money to an illicit enterprise? I started slow, asking a few basic questions about how I would be able to access the codes. Finally, I was given a link to a cryptic website with the domain https://mail.squaremail.com. On first instinct, I clicked the link and was met with a poorly designed PHP website. I messaged the seller back, asking what would happen if I purchased a code. He then told me that I would be met with a prompt to open an email inbox, where I could then access the code. Content with my findings, I told him I would message him another day.
Curious about how this site worked, I first ran a basic directory scan on the website using a tool called Uniscan. At first, I was met with the usual responses from a basic scan, “/dashboard”, “/mail”, “/todo”, which all came up empty or behind an authorization lock. However, right as I was about to stop my search, a result called “secret.zip” came up on my screen. Incredibly intrigued, I took a look at the file and downloaded it (I wouldn’t suggest this). After a couple minutes, the 100MB file was downloaded, and I unzipped it. What I found was shocking. The entire source code to the website and his scripts. Complete with config files, credentials, database information, and most of all, his bitcoin private keys. I was floored. I had no clue how I could ever get in contact with the owner (I did not know who Sammy was at the time) and what I could even do. I started first by messaging the seller I had found earlier, telling him I had found a security vulnerability in his web application and that I need to get in contact with the site owner. I was met with a prompt,
“Nice try. I am not giving up the suppliers name”.
Frustrated, I messaged another seller I had found on a discord marketplace who we will call James. The seller replied, telling me that he wasn’t surprised I had found a vulnerability and that he had been ousted from the list of distributors just days before. He immediately asked about the extent of the vulnerability and if he could use it to get back at his new enemy. I promptly told him that he couldn’t use it for any gain, and he gave me Sammy’s contact information.
The next few days involved a lot of waiting; Sammy didn’t add me back for nearly a week. However, one early morning in early May, I was met with 3 unread messages from Sammy. And they were much different than I had ever expected. I had originally expected for him to message me, graciously thanking me for my diligence and reporting of this vulnerability. However, the actual result was much worse. He was threatening to sue me? I was in absolute shock… what had I done that had warranted a lawsuit?
I thought about my response for a while; how was I going to explain to him that I had not done this out of malice or bad blood? All I had wanted to do was inform him of this large security issue that could cost him thousands of his bitcoin. Eventually, I replied, telling him that I would be willing to discuss the matter on the phone with him at around 7PM central time, and gave him a phone number from TextNow to call. Four hours later, I was met with a call from a phone number located near Florida, and I quickly answered the call. Before I could say a word, I was met with a woman who had a southern draw. She introduced herself as Sammy’s mother, and I responded back with my greetings. Soon after, she began to describe how searching his website was, in fact, illegal and that I could be prosecuted to the full extent of the law. This was incredibly confusing to me, considering the premise of the website was illegal activity, but I decided to let it slide. She eventually explained that as long as I did not contact Sammy ever again and did not tell any of his customers of the incident, I would face no repercussions. I politely agreed and hung up the phone.
I decided it was a good idea to just stop looking into the website despite it being so intriguing. And thankfully, a few days later, he took down the secret.zip file. The whole incident seemed to be coming to an end, and I was content with the information I had gathered.
Three months later, in June, I had nearly forgotten the incident and was going about my daily life when I was sent a discord dm from the formerly ousted supplier, James. The message read:
“Hey, it’s been a while, but Sammy just got sent a cease and desist from Chick-Fil-A. He has to pay restitution.”
I laughed at the irony of the situation; the person who had threatened to sue me had been forced to pay restitution. Justice was served.