*yet

Build the audience first, attack comes later

Most registrars and hosts consider phishing already malicious, even if there's no obvious malware download or anything.

It isn't doing that now, but you can't be sure about what they're going to be up to a little ways down the line, the fact that they are clearly trying to misdirect the traffic is proof positive they're up to no good.

Just do a bit of risk assessment if something like this were to be shipped to people that have come to blindly trust the source and you'll see why letting this slip is a very bad idea.