A security token can be worth as much as a set of credentials

Oct 28, 2011 14:26 GMT  ·  By

The Anti-CSRF tokens generated by Facebook and other websites that want to keep their customers protected are being targeted by cybercriminals who can use them to temporarily take over an account.

Symantec researchers did a little digging on the matter and found a few cunning plots in which attackers try to dupe users into providing the highly desired codes.

Cross-site request forgery (CSRF) is an attack in which basically the victim's active session is borrowed by the cyber masterminds to perform illegal operations. Once the security token is obtained, the attacker can do whatever he wants as the website's server detects him as being legitimate.

The Anti-CSRF tokens are usually randomly generated strings, submitted as a hidden input parameter for each session and once the session is terminated or expires, the code is no longer valid.

Because it takes a bit of social engineering to obtain the code, crooks developed ingenious ways to make sure they aren't left empty handed.

In the example provided by Symantec, the victim is faced with an apparently harmless Facebook ad that promises something worthwhile. If the link is clicked, a fake Youtube page appears that allegedly needs to verify the member's identity before a video can be played.

This is where the clever part begins. The window that supposedly makes the verification contains two main elements, a Generate Code link and a textfield where the generated code will be entered. The link actually triggers a JavaScript that will request the token from Facebook and then displays it on the screen.

The victim unknowingly hands over the piece of text and with it his current session.

“Although by and large we haven’t seen attackers propagate malicious browser exploits and drive-by-downloads using these spam campaigns, we conjecture that attackers might naturally gravitate towards this in the near future,” revealed the researchers.

“Furthermore, attackers are using some really innovative social engineering techniques to trick their victims. We advise users to keep their security software up-to-date and not click on any links that seem suspicious.”