It turns out that halfway clever phishing attacks really, really work

A new phishing attack hops from one Gmail account to the next by searching through compromised users' previous emails for messages with attachments, then replies them from the compromised account, replacing the link to the attachment with a lookalike that sends you to a fake Google login page (they use some trickery to hide the fake in the location bar); the attackers stand by and if you enter your login/pass, they immediately seize control of your account and attack your friends. Read the rest