In this scenario, Alice has received an that was spoofed to look like it was from Amazon.
However, after clicking on a link in the email she is actually at a page located at amazon.evil_server.com which has an iframe that shows a web site. Alice naïvely believes she is actually at the site Amazon.com
In addition to the iframe showing Amazon's login webpage, the hacker that sent her the email has included a on the page at amazon.evil_server.com that is sitting invisibly on top of the iframe showing Amazon's page.
When Alice enters her username and password into the textboxes she sees on the webpage, she is actually entering them into the on the hidden layer.
When she submits the data, the attacker will have her username and password.
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms, a clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function. The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008. Clickjacking can be understood as an instance of the confused deputy problem.
wikipedia