It is a simple man-in-the-middle attack. The proxy will forward the username and echo back whatever it receives from the bank.
The reason it might work in this case is because the assumption is that people will only verify the browser bar when they first arrive on the page, and not when they have been "tab nabbed" like this
The reason it might work in this case is because the assumption is that people will only verify the browser bar when they first arrive on the page, and not when they have been "tab nabbed" like this