Evolving Phishing Attacks Using Web Vulnerabilities?

miahrogers writes "The IRS Scam from a few weeks ago was not the the usual canned phishing attack; it exploited a vulnerability in the IRS benefits website to make users think they were at a government site. Also, according to Infoworld, eBay's own fraud team was tricked into thinking a phishing email was legitimate eBay correspondence. Mix the above IRS exploit with a phony email and you have misplaced trust that foils even professional fraud teams. Interestingly enough, the newest addition to my bookshelf predicted these attacks in full detail. From chapter 4: 'Combined with vulnerable Web servers allowing the "trusted" domain to launch the attack, it will be harder to determine whether the email is or isn't legitimate. When a person turns in the e-mail to question its legitimacy, due to the known marketing campaign a tech support representative may overlook the fraud report and tell the customer that XYZ company did send out such a marketing e-mail and it is OK to click the links.' Are phishers using this book as a tool, or is it a legitimate prediction? As an IT professional, what efforts should our corporate IT department be making to proactively to eliminate these vulnerabilities?"