I'm finding that if I use SET and the tab nabbing vector attack that if a user already has gmail opened and then clicks on the malicious link in a gmail message (which is the normal way things would proceed) and then navigates away from the "Please wait while page loads..." message, indeed the tab changes to the malicious website with a cloned version of the sign in for gmail, but it does not work if they already have gmail open on another tab.
It does work, however, at least on my platforms, if they have not already signed into gmail - but then of course how are they going to get the malicious email to open up if they haven't signed into gmail in the first place?
I've also noticed a persistent message from IE7 and IE8 as well as Firefox when attempting to run this attack vector: "Your browser's cookie functionality is turned off. Please turn it on.", when in fact cookie functionality is on.
Is there something I'm missing here?