Using a cross site scripting exploit, this site here was able to display text of their choice on sites such as the MasterCard, Barclays, and others. By using these sites, rather than their own, they can present to you, even under SSL conditions, whatever they want to and you would not know the site was under the control of someone else.
Needless to say, this opens a new avenue for phishing attacks that could occur even if you go directly to, for example, your banking site. Or Amazon. Or eBay. Or PayPal. You don't need to respond to emails. You don't need to click on links. All you have to do is visit your bank, etc. The attackers could conceivably create such a realistic presentation on your own site that you would not know you have been taken over.
Unfortunately, the site does not indicate how to prevent such attacks (Another site says to check all user provided input in forms. However, they give no examples for what to look for.).
