Yes it DOES work, it's a matter of the REQUEST not the RETURN.
If you're logged in to www.xpto.com
and get into the xpto.com's attacker site www.scammerzR.us
a fake image from scammerzR.us can make you perform some request at xpto.com.
Let's say, www.xpto.com
's creator is lousy coder, to withdraw btc all you've to do is call withdraw.php?amount=10&addr=bitcoinAddress...
An image at scammerzR.us pointing at <img src="http://www.xpto.com/withdraw.php?amount=all&addr=scammerzRusAddress
" /> would make you transfer all from your account to his.
CSRF is however a veryyyyyyyy long shot attack, the attacker has to have a reason to believe you may be logged in to the target site to input that sort of code. Normally this works better against sites like Facebook where even if currently you're not there you may have an auth cookie.