I recently had to do some research for a collegue who had some questions about "clickjacking", the practice of hosting a website inside a hidden or transparent iframe (the target), positioning that frame over top of another inocuous, innocent looking page (the attacker) that has a call to action. The user clicks what they think is something simple (like a video play button) but instead they're clicking on a page element inside the transparent iframe, initiating some action on the target website.
For example, an attacking website could get a user to login to their banking website without them knowing, depending on whether the user had configured their browser to autofill in their username and password on the site. The attacking site could go on to do lots of other things, tricking the user into transfering money or whatever.
Scary stuff.