It is very easy to get a lock icon on bankofamericaa.com and to get your browser to insist you are speaking to the real bankofamericaa. What makes this bug interesting is you can get a lock icon for a fake website on bankofamerica.com using a MITM attack: making convincing "secure" websites on alternative URLs has always been possible.