All the while, the user still sees the legitimate site’s URL in the address bar on the browser, as pictured above.
You will notice that it quite clearly says that it is being downloaded
from ha.ckers.org, but the vast majority of users won’t understand what
that means, since, of course, they are quite clearly on the EV cert
protected addons.mozilla.org. Also, presumably an attacker would
normally pick something like addons.mozilla.org.xyx.com instead of
ha.ckers.org. Worse yet, it blocks the user from downloading the
legitimate file until they take action on what my malicious website is
prompting them to do.
Trying to explain the details of that kind of attack to the average user would be a fool’s errand, and even security-conscious Web users might have a difficult time recognizing the attack when it happens.