I might be wrong, but wouldn't this basically mean that you have to know which transactions the pool will mine into the block and which time stamp it uses?
Is there some literature about this attack?
I am a little astonished that basically all the pools shall be vulnerable. This attack would double the evil miners income, hard to believe that it's not more commonly done.
Thanks for you answers.
the getblocktemplate protocol allows you to get a work that usually has 2^64 nonce-space (the original nonce and extra-nonce that is a part of coinbase txn)
Then you split this gob into several ones between some of your miners, for example by submitting to 256 miners the getblocktemplate response that allows 2^56 nonces to be tested. The shares found by miners you pass over to the victim pool except ones that solve the block at current target.
Edit: As far as I remember, the information you receive with getblocktemplate is not enough to submit a block to the network yourself. So, you can make a damage to the victim, but can't get immediate profit from submitting a block. I may be wrong though.