A new attack called CoffeeMiner can exploit public Wi-Fi services to secretly mine cryptocurrencies.
A researcher has published a proof-of-concept (PoC) project called CoffeeMiner which shows how threat actors can exploit public Wi-Fi networks to mine cryptocurrencies.
Last week, a software developer called Arnau disclosed research into how public networks offering access to the Internet can be harnessed to generate revenue for attackers.
Interest in cryptocurrency has grown of late due to the surge in pricing for Bitcoin (BTC) and to a lesser extent, Ethereum (ETH). However, cryptocurrency has always been a common factor for some cyber attackers which utilize ransomware to force their victims to pay a "ransom" to gain access to compromised systems locked by malware.
According to the developer, public Wi-Fi may also now be a source of income for hackers that successfully pull off Man-in-The-Middle (MiTM) attacks to launch cryptocurrency miners.
The project, released to the public for academic study, leans upon the recent discovery of a cryptocurrency miner discovered on a Starbucks Wi-Fi network.
CoffeeMiner works in a similar way. The attacking code aims to force all devices connected to a public Wi-Fi network to covertly mine cryptocurrency.
The attack works through the spoofing of Address Resolution Protocol (ARP) messages by way of the dsniff library which intercepts all traffic on the public network.
The miner is then served through an HTTP server. The mining software in question is called CoinHive, which is used to mine Monero and is considered by some antivirus firms as a threat.
Once compiled, these elements come together as a single script which can be deployed by attackers on public Wi-Fi networks. Unwitting victims are rerouted through a server controlled by attackers and their devices will mine cryptocurrency as they browse.
The only limit is the amount of time a victim spends on a page. CoinHive works best when visits to a page average 40 seconds -- but this does not mean other cryptocurrency miners would not overcome this problem.
"The idea is to have the CoffeeMiner script that performs the ARPspoofing attack and set ups the mitmproxy to inject the CoinHive cryptominer into victims' HTML pages," the developer says.
Arnau has tested the attack in real-life scenarios, such as in coffee shops, and found CoffeeMiner to be successful.
"For a further version, a possible feature could be adding an autonomous Nmap scan, to add the IPs detected to the CoffeeMiner victim list," the developer added. "Another further feature could be adding sslstrip to make sure the injection also in the websites that the user can request over HTTPS."