Aza Raskin (http://en.wikipedia.org/wiki/Aza_Raskin) a creative lead for Firefox, has a published proof-of-concept for a browser-based attack in which open pages in a browser are switched to carry out phishing attacks. His example shows a Gmail login look-alike page which is inserted into a browser.
When a victim goes back to that page, he assumes he’s been logged out and types in his log-in information which is forwarded to the phishing operator’s site.
There are a lot of ugly possibilities, Raskin writes: “Using my CSS history miner you can detect which site a visitor uses and then attack that. For example, you can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc., and then switch the page to the appropriate login screen and favicon on demand.”
Raskin blog here: “A New Type of Phishing Attack”
Well-known security blogger Brian Krebs also wrote about Raskin’s find very nicely here.