How is this possible?
" It opens the actual page so the URL looks correct, but at the same time loads a full-window iFrame that overlays the malicious content directly over the real site, lending an air of legitimacy. "
That means that a bad page is impossible to detect. So all the happy green keys in the URL bar are pointless.
All is lost.