I was playing with name resolution in windows and i found that it sends broadcast requests over the network for the hostnames not resolved by DNS or WINS services. This is characteristic behaviour of windows and *nix boxes do not send any such broadcast requests. As these are the broadcast request, these can easily be abused to carry out phishing attacks. I wrote a small paper on this. You can access it here.
UPDATES: Here is good article from microsoft which discusses this process in detail. Here are a few drawbacks of this atatck:
1. This attack will ony work for domain names that are less than 16 characters.
2. Routers typically do not forward broadcasts, so only NetBIOS name on the local network can be resolved and the attacker thus has to be on the same local network.
3. The victim has to enable Netios Over TCP/IP to send out broadcast request.