"…At issue are sites that harbor so-called cross-site scripting (XSS) vulnerabilities, which occur when Web sites accept input from a user — usually from something like a search box or e-mail form — but do not prevent users from entering malicious code or other instructions.
Once the code is entered, the URL that the Web site spits back can then be used for phishing scams. Unlike other scams, the URLs used in these cases look more legitimate. A typical XSS attack usually goes like this: The bad guys send out e-mails designed to look like they were sent by a trusted e-commerce company. The e-mails instruct recipients to click on a link and update their account information. Instead of directing them to a purely fraudulent site — i.e., the hacker’s own copy of a real login form — the link puts the visitor on the Web site of the trusted brand, thereby giving it a legitimate URL. The page, however, has been manipulated to display content controlled by the attacker." – Content courtesy of Security Fix – Creating a Public Nuisance with Insecure Web Sites