Fake site.

You login with your credentials, the attacker logins to the real site.

You get an SMS with a one time code from the real site and input it to the fake site.

The attacker takes the code andc finishes the login to the real site.