John Karlo D. Agon & Lovely Jovellee Lyn S. Bruiz, G Data

In 2017, there was a massive increase in the volume of cryptomining attacks by 8,500%. The highest value for a collective miner revenue has amounted to roughly $50 million dollars. No wonder that there was a shift on the mindset of cybercriminals from blatant extortion, such as the proliferation of Ransomware, to subtle way of acquiring cryptocurrency through cryptomining. So why bother forcing the victims to pay ransom, when they can be enslaved and mine for them instead?

Cybercriminals always look for different ways to inject coinminers to victim’s devices – and one of the unique ways to do this is through wireless connection. In fact, there was an incident in Starbucks Buenos Aires, Argentina where a customer connected to the store’s WiFi network and discovered a cryptomining script in their webpage. What makes this interesting is that there were no similar incidents in other branches – which indicates that this is an isolated and targeted attack on the local network.

To have a better understanding primarily on how this new attack vector poses a threat to WiFi users and eventually plot possible prevention and mitigation steps, this research explores and replicates the attack on a local WiFi network to mine cryptocurrency. This research will layout holistic view of the cryptomining infection in a WiFi network using a Github Project called, CoffeeMiner as well as dig deeper on how this attack redirects all HTTP requests of the victim to the attacker leading to the injection of the mining script to all of the webpages requested by the victim by utilizing “mitmproxy” – a popular open source https proxy and Man-In-The-Middle framework. This research will also demonstrate the versatility of the attack, which can mine several cryptocurrencies like Monero, Electroneum etc. whose impact is not only on PCs, but even on mobile devices. Lastly, the paper establishes how this attack can potentially be the stepping stone for more advance type of cryptomining attacks.

More importantly, this research identifies solutions on how to distinguish and prevent cryptomining attack in a public wireless connection. Practical approaches such as checking of CPU usage, machine behavior and other system modifications are discussed and can be as extensive as to the installation of different browser plugins and extensions such as NoScripts, Force HTTPS, No Coin and minerBlock are explored. Moreover, simple techniques and native tools are showcased to identify if the system is under Man-In-The-Middle Attack. After all, despite of the ever-evolving threats such as this, practical and simple solutions are still proven methods for people to safely connect to our digital network and prevent from being “mined”.