I'm not sure what kind of websites are vulnerable to these attacks, but websites that have double authentication seem pretty safe to me. And if you forgot your password, then you receive an e-mail to change it with a secure link.

This point means the user is not paying attention: 1) User goes to BAD website and signs up. Steps 2-7 wouldn't be possible without 1.

"User not paying attention" is ultimately the reason for most phising attacks. It happens a lot, and we're trying to solve it as the known problem it is. Everybody, and I say everybody are human beings at the end of the day (so far...) and so by definition, can have a bad day and lower their defenses. It has ironically even happened to reputated security specialists.