What makes man-in-the-browser attacks so dangerous?