This article is more than 1 year old
Argy-bargy Argies barge into Starbucks Wi-Fi with alt-coin discharges
Venti vanilla skinny latte with sprinkles of JavaScript and a side of Monero mining, please
Starbucks has joined the long growing list of organizations that have inadvertently and silently mined alt-coins on customers' computers for mystery miscreants.
A sharp-eyed quaffer in a branch of the frothy-coffee-flavored-milk franchise noticed that when he signed on to the cafe's free Wi-Fi service something was amiss. Sitting in the shop in the bustling capital city of Argentina, Buenos Aires, this month, startup boss Noah Dinkin spotted that there was a ten-second delay in connecting to the internet via the Wi-Fi, and that time was used to fire up a copy of Coin Hive's Monero-mining JavaScript in his browser.
Thus, when Dinkin and his fellow latte slurpers joined the cafe's wireless, something on the network was maliciously injecting Coin Hive's code into their web browsers so that for at least ten seconds or so, their PCs and other devices would toil away crafting Monero coins for whoever was masterminding the scam.
Hi @Starbucks @StarbucksAr did you know that your in-store wifi provider in Buenos Aires forces a 10 second delay when you first connect to the wifi so it can mine bitcoin using a customer's laptop? Feels a little off-brand.. cc @GMFlickinger pic.twitter.com/VkVVdSfUtT
— Noah Dinkin (@imnoah) December 2, 2017
Coin Hive's software is freely available, and when run in a webpage uses the visiting computer's spare CPU cycles to mine the digital currency Monero – which is a young alt-coin and easily crafted by laptops and handhelds. One XMR is right now worth $304.88 – last time we looked last month or so, it was about $90.
The idea was that, rather than rely on ad clicks and views, website owners pocket revenue by running coin-mining code in visitors' web browsers: the extracted digital money being funneled back to webmasters via Coin Hive. However, hackers have seized the software with gusto, and are silently embedding or injecting the JavaScript into shedloads of compromised websites – from big names to little sites – and trousering all the produced cryptocurrency for themselves.
High-profile crypto-jacking victims have included CBS's Showtime website, the Pulitzer Prize-winning Politifact, the Ultimate Fighting Championship's pay-per-view ufc.tv site, and Google Chrome extensions. At least 30,000 sites sneaked in Coin Hive code, and it has also started popping up on smartphones, killing battery life and overheating the handsets.
Many security tools and ad-blocking packages now routinely block Coin Hive's JavaScript. As a result, the developers of the miner created AuthedMine that can't be used unless a webpage's visitor agrees to donate their hardware and electricity. Of course, it's still possible to use Coin Hive's stealthy script and service.
Back to Starbucks, and the American giant said, after some argy-bargy, its Argy ISP has killed off the mining code.
"As soon as we were alerted of the situation in this specific store last week, we took swift action to ensure our internet provider resolved the issue and made the changes needed in order to ensure our customers could use Wi-Fi in our store safely," said a Starbucks rep in a statement on Monday afternoon.
Not only should you be on the look out for secret crypto-miners in hacked websites, keep an eye out for shenanigans by network providers, too. ®
Biting the hand that feeds IT
