I’ve just seen a retweeted link (@tputh via @tomcavil) which I found pretty interesting:
http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
To summarise: The user leaves page focus for a minute, and the page changes it’s design to that of a well known site, complete with log in box. The site then records the user’s details, and voilà, the user can be hacked.
I’ve not yet experienced this (I hope!), nor seen it in action, but I can easily see how it could fool someone. I often leave tabs open, forget I’m logged in and then have to log in again on session timeout. Thinking about it, I don’t check the url when I do either.
Also, from a non phishing point of view, I think it’s be interesting to change the page depending on the level of the user input. Leave focus for a minute, have a popup appear for instance. This could be especially useful on a form, warning the user of a session timeout/limit.
I might have a play with it, see if I can make anything interesting.