Suppose a website could morph into a different website when you looked away. 

Imagine for a moment that you click away to perform some other task. Then, when you come back a while later, having forgotten exactly which websites were opened on which tabs, you see your Gmail login page...even though you don't actually remember logging out. You think to yourself, "maybe it just logged me out automatically" as many sites now do for security reasons after a certain length of inactivity.

Whatev...you enter your user name and password and proceed to Gmail thinking nothing more than you've just logged in.

But here's what *really* happened. The site you were visiting "noticed" when you weren't looking at it anymore. Then it took advantage of that "opportunity" to morph into what looked like your Gmail (or Facebook, or Citibank, or MySpace, etc.) login page.

Voilà! ...as you've now probably guessed—you've been phished! The bad guys now have your access info and you don't suspect a thing. Isn't that special?

According to Aza Raskin, this "New Type of Phishing Attack" works like this:

1. A user navigates to your normal looking site.
2. You detect when the page has lost its focus and hasn't been interacted with for a while.
3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.
4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

There's even a name for it: it's called tabnabbing. Security news reporter, Brian Krebs, explains it as "a new phishing concept that exploits user inattention and trust in browser tabs (and) is likely to fool even the most security-conscious Web surfers."

If you would like to see it in action, go to: A New Type of Phishing Attack. In the meantime, pay close attention to which sites you actually have open on which tabs.