Some credit card sites have this bug.
Log-in page loads over http:/// and then it submits to https:/// which is very vulnerable.
I hacker can change the login page (over http) to point to his own site. Before clicking submit you have to debug the page to find out if it is submitting to the correct site... and by that time it is too late. They can afterwards fake loading error and forward to original page...
And even worse, on some site I couldn't find a log-in form loaded over https.
Please note, that no fishing is required to do this - it can be done over live traffic. The attacker modifies the login page on the fly because it is loaded over http.