Yes, there is existing software to automate this, I presume that competent bad guys already use that.
However you can't do this to WebAuthn (or its non-standard predecessor U2F). The WebAuthn challenge is bound to a DNS name, by the client browser. So https://fake-bank.example/important/urgent/thing/ignore/the/... can't get credentials for real-bank.example even if the human is utterly convinced the fake site is their real bank, because you need to fool the web browser not just a human.
However you can't do this to WebAuthn (or its non-standard predecessor U2F). The WebAuthn challenge is bound to a DNS name, by the client browser. So https://fake-bank.example/important/urgent/thing/ignore/the/... can't get credentials for real-bank.example even if the human is utterly convinced the fake site is their real bank, because you need to fool the web browser not just a human.
AFAIK zero banks use WebAuthn...