Cross-site request forgery (CSRF) attacks are becoming a more common attack method used by hackers. These attacks take advantage of the trust a website has for a user’s input and browser. The victim is tricked into performing a specific action they were not intending to do on a legitimate website; where they are authenticated to.
CSRF attacks will use the identity and privileges that the victim has on the website to impersonate them and perform malicious activity or transactions. Attackers will attempt to take advantage of users who have login cookies stored in their browsers. Ecommerce sites that send cookies to store user authentication data are vulnerable to this attack.
An example of a CSRF attack is if a victim were to log in to their banking website and while their session is active, they receive an email with a request to click on a link. If this victim clicks the link, a script would execute against the banking site to transfer funds from their account into one the attacker has designated. Here, the attacker has impersonated the victim by using the victim’s login information, computer and IP address for the attack.
Instead of emailing while authenticated into a site, an attacker may have code injected into the site and just wants the user to click on the link for the executable to run. This code would then run the malicious transaction.
Sometimes it can be a challenge for the victim to claim someone else performed the malicious transaction because their login information and IP were previously used for it. This can contribute to a more detailed and longer investigation that the financial institution would perform before allowing a credit or reversal of the transaction.
How to prevent CSRF attacks
To prevent CSRF attacks on the server side, banks and merchants should transition from cookies that perform session-tracking to session tokens that are dynamically generated. This would make it more difficult for an attacker to get a hold of a client’s session.
Don’t trust that the site you're visiting has measures in place to prevent CSRF attacks. Many sites do have controls in place to protect against it, but it is not a good practice to assume this. Some sites could have controls in place today but after an upgrade or change in the code, may remove them later.
For users to prevent CSRF attacks, it is important to understand that you must already be authenticated into a certain website to be vulnerable. Banking or any site that performs financial transactions and has a high usage rate are the primary targets of these attacks.
6 actions you can take to prevent a CSRF attack
- Make sure your anti-virus software is up to date. Many malicious scripts can be blocked and quarantined by this software.
- Do not open any emails, browse to other sites or perform any other social network communication while authenticated to your banking site or any site that performs financial transactions. This will prevent any malicious scripts from being executed while being authenticated to a financial site.
- Whenever you finish a banking or financial transaction on a site always log off immediately. Don’t just minimize or close the browser. If you do, it will make you vulnerable to an attack.
- Never save your login or password for a banking or financial institution site within your browser. Malicious code in CSRF attacks is usually written to take advantage of this information that is within your browser
- Disable scripting in your browser. Firefox has a plugin that can prevent scripts from running.
- Run all your financial or banking transactions in one browser and all your other browsing within another. This way an attacker cannot make your general web browser do anything malicious to your banking or financial transaction browser.
As more financial transactions process on the internet, CSRF attacks will continue to grow. Also, the rise in using social network sites will contribute to the delivery of scripts that trigger these attacks. Following the preventive actions I have listed will reduce the possibility of you becoming a victim of a CSRF attack.