Why does this matter? The browser isn't even at bankofamerica.com, it is at bankofamericaa.com: it "adds insult to injury", but it doesn't affect the attack. No browser would notice, even with the fanciest watchdog services and certificate pinning, that the certificate of an unrelated website is "authentic" or not. The only way you are going to notice the name being wrong is if the user opens the certificate details dialog and reads the content; do you seriously think someone is going to do this and not look at the URL ;P? What this bug makes possible are not the age-old "wrong URL" attack, but an active MITM on the real URL.

From my experience, people really do pay attention to EV certs ("the green bar"), so I'm not sure it's quite as simple as you're putting it.

Well yeah, but the point is there's nothing stopping the attackers from putting a valid certificate on bankofamericaa.com to make that green bar appear.

Yes, you're right. :)

They can't use BofA's own certificate anyway, because the domain doesn't match.