How this works is they take your browser's request to fetch `virginaustralia.com.au` (this is DNS spoofing) and instead serve you an identical looking VA website clone and collect your credentials if you enter it there.
Not quite, if you have a look at the article it explains what the attacker was doing.
The problem with what you're describing is that without an SSL certificate for virginaustralia.com.au, you'd get a certificate warning within the user's browser. VA publish HSTS headers for virginaustralia.com.au so you would not be able to pull this off, as HSTS requires a HTTPS connection with valid certificate or browsers would not display the content at all:
What the attacker was doing was to redirect to a captive portal authentication page which harvested user credentials:
The AFP said when people tried to connect their devices to the free networks, they were taken to a fake website which required them to log in using their email or social media accounts.
This would work because you're in control of the redirect through a
DHCP parameter, although it would be clear to at least some users that it makes no sense for them to be redirected to the website that they were directed to when connecting to that particular hotspot. The genius part (also dumb) is doing it in-flight, you could redirect users to a mock up VA site for example, whereas if you spoof an airport's wifi it would not make sense to redirect all travellers to one particular airline's loyalty login page. The dumb part is that I'm pretty sure it will end up being used against him, eg tampering with flight related systems or similar.
There would still be a number of protections in place within modern browsers to avoid getting stung like this, for example for those who save their credentials within their browser, it would not have autofilled usernames and passwords without additional confirmation from users because the domain would not match for the site that the credentials were saved for. It's basically designed to harvest credentials from those who would memorise their credentials and happily type them in to a site without checking the URL vs those who use password manager features within browsers.