Covertly roping unsuspecting users’ machines into mining cryptocurrency is a dream for many aspiring cryptocurrency owners, and some of them set aside ethical considerations and work on making that dream come true.
Another method, discovered last month in a Starbucks in Buenos Aires, consists of injecting mining code in pages served to users of free, public WI-Fi networks.
This particular incident spurred a Barcelona-based software developer to investigate how such an attack can be automated.
The first step of the attack consists of putting the attacker’s machine between the users’ devices and the Wi-Fi router, effectively allowing it to intercept, transmit and modify the web traffic passing between them.
This position is achieved by performing an ARP spoofing attack: the attacker sends spoofed Address Resolution Protocol (ARP) messages onto a local area network so that his MAC address is associated with the IP address of the default gateway (router). Once that’s achieved, any traffic meant for that IP address will be sent to the attacker instead.
Previously, the attacker has set up an HTTP server on his machine, so that it can serve the crypto miner script (CoinHive) to the victims.
The developer’s goal was to make a script that performs a completely autonomous attack on the Wi-Fi network, but he has stopped short of doing just that: an attacker will have to manually prepare a text file with all the victims’ IP address before deploying CoffeeMiner.
The script does all the rest: gets the IP of the router and that of the victims, configures the IP forwarding and IP tables, performs the ARPspoof for all the victims, starts the HTTP server for serving the crypto miner, starts the mitmproxy, and injects the needed script in the web traffic.
The developer has successfully tested the attack in real-life scenarios, and it works. Still, he counsels against using his proof-of-concept code for actual attacks – he made sure to note that he created it for purely academic purposes.
“For a further version, a possible feature could be adding an autonomous Nmap scan, to add the IPs detected to the CoffeeMiner victims’ list. Another further feature, could be adding sslstrip, to make sure the injection also in the websites that the user can request over HTTPS,” he concluded.