Part of my comment on GMail was an implicit jab at the monoculture it engenders. It was crystal clear to me that this attack isn't limited to GMail. I would like others to consider what other service could be spoofed like this with anywhere near as good return on investment, precisely because other services aren't as widely used.
3) Never, ever enter important credentials to a site you didn't open from a bookmark.
Sure, but most users are careful when they first login to a site like gmail, but then leave the tab open. Mentally, you know you only opened your gmail tabs from a bookmark, so any gmail tab already open must be safe. That's what the attack plays on - you're not on your guard, so don't check the URL.
OP doesn't understand that this kind of attack (or most attacks for that matter) aren't targeted to the sophisticated user, its targeted to the majority of the population. The majority of the population isn't running noscript, is using the vanilla settings that the browser came with (which means javascript is turned on) and doesn't think twice about entering in their credentials into a site that they trust.
2) Also, I don't use GMail; say what you will, it's another defense against this.
3) Never, ever enter important credentials to a site you didn't open from a bookmark.
EDIT: Downvotes for effective strategies against this attack? Stay classy, HN. Stay classy.