Imagine the following scenario. You are browsing the web and have multiple open browser tabs. You need to check your emails and remember that you had the Gmail page open earlier. You quickly scan the list of tabs, looking for the familiar Gmail favicon and page title, click on it, and see the Gmail login page. Your session probably timed out, so you provide the credentials and log in. Pwned! The attacker just stole your password.
As an information security professional, I am paranoid by nature. I am glad to realize that the way I have been browsing the web for the past few years already protects me against this type of phishing attack. My paranoia finally pays off :-) I have 2 browsers. I use browser A for my general needs, and browser B only for my important authenticated sessions: my webmail, bank, broker, etc. Also, I only have one tab open at a time in browser B, and I always log off before opening another site in this tab. If I were to see a Gmail page in browser A, amongst my myriad of other tabs, it would immediately raise a red flag.
But the reason I have been browsing this way was not originally to protect me against this specific type of phishing attack. After all, I only learned about it today! I follow this strict habit in order to defend myself against CSRF vulnerabilities —one of the biggest and most overlooked class of web security vulnerabilities in my opinion. As a matter of fact, Gmail itself was vulnerable to CSRF at least 2 times in recent history (January 2007, March 2009). This is why in only have one tab open at a time in my second browser. No other site open means that no other site can perform a CSRF attack against my authenticated session. The two browsers help me make this strict procedure much less painful, as I can visit as many unauthenticated sites as I want in the other one. Of course I may sometimes visit authenticated sites in the latter, but only if I consider them unimportant, ie. if I consider it a non-issue to have my credentials stolen via CSRF.
Comments are welcome. I would love to hear ideas to make browsing more secure.