Cyber Incident Victim: Domain Group

On or around May 19, 2021, Australian digital real estate company Domain Group publicly confirmed a phishing attack targeting its administrative systems. The attackers gained unauthorized access through phishing techniques, enabling them to interact with individuals who had submitted rental property inquiries via Domain’s platform. According to CEO Jason Pellegrino, the scammers exploited this access to contact potential renters by email, directing them to fraudulent websites and instructing them to pay deposits to secure rental properties. The attack specifically leveraged Domain’s communication channels to impersonate legitimate rental processes, though the exact number of affected users or compromised accounts was not disclosed. Domain did not confirm whether any financial losses occurred as a result of the scam attempts.

Domain Group responded by implementing additional security controls and elevating system monitoring to prevent further unauthorized activity. Pellegrino acknowledged the broader rise in phishing scams during the COVID-19 pandemic, noting that the incident highlighted persistent threats despite increased public awareness of suspicious online behavior. The company emphasized that the attack was isolated to its rental inquiry system and unrelated to a separate health board incident mentioned in its communications. No technical specifics regarding the phishing vector, duration of unauthorized access, or identity of the threat actors were disclosed. Domain’s parent company, Nine Entertainment Co., which holds a 65% ownership stake, was not reported to have been directly impacted by the incident.