With relative ease, you can build websites with a cheap $10 SSL that can impose to be a PayPal page. JavaScript can provide phishing and accessing cookies, but beyond that, I'm not really sure what else it can offer.
It may be simple code, but I think the title of the post explained that.
> JavaScript can provide phishing and accessing cookies, but beyond that, I'm not really sure what else it can offer
if you had success putting your JS payload on target website you can do anything. Period. From from stealing user's passwords (http://homakov.blogspot.com/2012/11/xss-save-your-password-p...) to executing any authorized request POST /send_money. The last thing attacker will do is to "phish" you.
It may be simple code, but I think the title of the post explained that.