That chrome-extension phish is a really nasty one and was probably super easy to do... chrome should totally be adding some builtin protection for things like that because it's particularly insidious. They should probably have a CA and associated cert generated by the browser in-memory on each startup to sign all local pages which will display a special padlock indicator so you at least have a visual prompt for when you're not on your actual settings pages.

Or something more sensible.