A new phishing concept that exploits a user's inattention and his or her trust in multiple tabs in a current browser session is potentially likely to confuse and make vulnerable even the most security-conscious of Web surfers. It's described Brian Krebs's link below.
The attack (demonstrated on Aza Raskin's site also linked below) is simple. The scenario suggested is that a user has a browser with multiple tabs open. He or she then visits a malicious site that uses special JavaScript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits. In the demonstration, this is a fake Gmail page. the exploit has been nicknamed 'Tab napping'
The proof of concept site linked below has a working example which you can experience. This is yet another potential security hazard that users will have to watch out for when working with multiple tabs in a browser. The Vimeo example below makes it clear that such an attack does not change the URL in the browser, but many users don't always double-check that against the tab they are looking at.
The recommendation is that you should never log-in on a tab that you haven't opened yourself. Since the tabnapping tactic relies on you trusting that you opened the tab - and that the site simply timed out before you used it - the best defence is that if you see a tab that contains a seemingly-legitimate log-in form, close it, then open the site you want to use directly in a new tab or window.
