How to hack public Wi-Fi to mine for cryptocurrency

Source:zdnet.com

A new attack called CoffeeMiner can exploit public Wi-Fi services to secretly mine cryptocurrencies.

 

A researcher has published a proof-of-concept (PoC) project called CoffeeMiner which shows how threat actors can exploit public Wi-Fi networks to mine cryptocurrencies.
Last week, a software developer called Arnau disclosed research into how public networks offering access to the Internet can be harnessed to generate revenue for attackers.

More security news

Android Malware Attacking Over 232 Banking Apps Discovered

“Meltdown” And “Spectre” Flaws: Affecting Almost All Devices With Intel, AMD, & ARM CPUs 

Interest in cryptocurrency has grown of late due to the surge in pricing for Bitcoin (BTC) and to a lesser extent, Ethereum (ETH). However, cryptocurrency has always been a common factor for some cyberattackers which utilize ransomware to force their victims to pay a "ransom" to gain access to compromised systems locked by malware.

According to the developer, public Wi-Fi may also now be a source of income for hackers that successfully pull off Man-in-The-Middle (MiTM) attacks to launch cryptocurrency miners.
The project, released to the public for academic study, leans upon the recent discovery of a cryptocurrency miner discovered on a Starbucks Wi-Fi network.
CoffeeMiner works in a similar way. The attacking code aims to force all devices connected to a public Wi-Fi network to covertly mine cryptocurrency.

The attack works through the spoofing of Address Resolution Protocol (ARP) messages by way of the dsniff library which intercepts all traffic on the public network.
Mitmproxy is then used to inject JavaScript into pages the Wi-Fi users visit. To keep the process clean, the developer injected only one line of code which calls a cryptocurrency miner.

The miner is then served through an HTTP server. The mining software in question is called CoinHive, which is used to mine Monero and is considered by some antivirus firms as a threat.

Once compiled, these elements come together as a single script which can be deployed by attackers on public Wi-Fi networks. Unwitting victims are rerouted through a server controlled by attackers and their devices will mine cryptocurrency as they browse.
The only limit is the amount of time a victim spends on a page. CoinHive works best when visits to a page average 40 seconds -- but this does not mean other cryptocurrency miners would not overcome this problem.
"The idea is to have the CoffeeMiner script that performs the ARPspoofing attack and set ups the mitmproxy to inject the CoinHive cryptominer into victims' HTML pages," the developer says.

See also: Facebook Bug Could Let Advertisers Get Your Phone Number

Arnau has tested the attack in real-life scenarios, such as in coffee shops, and found CoffeeMiner to be successful.
"For a further version, a possible feature could be adding an autonomous Nmap scan, to add the IPs detected to the CoffeeMiner victim list," the developer added. "Another further feature could be adding sslstrip to make sure the injection also in the websites that the user can request over HTTPS."