This combines RSnake's Popup & Focus URL Hijacking* with Paul Stone's
login detection to enhance phishing attacks.
The basic concept behind this attack is to use URL hijacking to change a legitimate login page to a fake one in the gap between when the user checks the URL and when they enter their username/password.
This implementation uses polling to detect the moment the user logs in, then redirects them to a classic phishing page saying their password was incorrect, and hopes that they don't re-check the URL.
View the demo (Tested in Firefox 3.x, probably doesn't work in IE)
I have left the iframes visible for clarity. Obviously, in a real attack they'd be invisible and the phishing URL would be a nice reassuring shade of green along the lines of https://google.evildomain.com/account
Scope for improvement
As you've probably noticed if you tried the demo, there is a clear delay between clicking login and getting redirected. This delay could be significantly reduced by using the login detection with a page that doesn't send a redirect (and isn't encrypted). That said, there are probably completely different approaches to identifying this moment that have less delay anyway.
Website owners could prevent framing by using frame-busting code/X-Frame-Options etc. They ought already be doing to this protect against (the much more severe attack) clickjacking. Users should just check the URL every time they enter their password, I guess.
Comments&Feedback appreciated :)
*If server is still down try the cached version
EDIT October 2011: This demo no longer works, as Google has prevented the login-detection by using X-Frame-Options. I have no plans to fix it.