What I never understood is why an attacker couldn't just mirror the user's actions to the real site and scrape the confidence image or word from there to show on the phishing site. What am I missing?