Generating an address with chosen prefix and/or suffix is done by randomly choosing a private key and checking what the outcome is. It's similar as mining: every character more is exponentially more expensive, you don't have any difficulty adjustments tho. According to https://github.com/kangaderoo/vanitygen vanity address generator it's like 45 seconds for 4 chars of course depending on your hardware.

The attack actually works in that way that a similar address as yours sends you some small amount and then when you next time try to send to yourself you mistakenly send to that address. Of course this address reuse is already a problem on itself. I doubt attackers use more than one hour to generate those.

There is a valid use case for having just xpubs for instance for your point of sale device. In that case a malicious wallet could indeed give out wrong addresses. But there is no reason to even mimic addresses similar to the correct ones.