I see this all the time with Twitter. These days you don't even need to mirror the website; just run a proxy that edits the HTML on the fly. Of course, they just use existing malware to edit hosts file but easy to translate to simply stealing the domain.

I have done this with Facebook as part of a prank on a friend, its not hard to do!

Why would a mail interception not simply relay the mail back to the originally intended server (which, for obvious reasons, is happy to accept mail for the targetted domain)?

The point is very valid: someone who controls a domain can trivially MitM any communication with that domain over unencrypted HTTP. And given events of the past year, I wouldn't put it past them to be able to get a cert issued for the fraudulent domain too...

Unless they were making copies and forwarding the e-mails on.