When I built the visual spoofing demo, I could have done it in several ways including chromeless window but I went for the simplest way. It turns out that some smart phisher recently launched a chromeless window-based phishing attack. Following is screenshot of the browser window showing the phishing site which was still active at 11:51AM.
The webpage and the URL portion of the addressbar is fake. What's happening is that the phishing site opened a chromeless window to overlay the fake URL over the real address which can be discerned by dragging another window over. It's using a IE 5.5 specific feature to float the fake URL over everything. The interesting thing about this trick is that it can potentially defeat many phishmark implementations such as my own 9-block phishmark. PassMark and background-based phishmarks are still effective though.