The only reason I can think of for a redirect rather than just a hijacking is to allow him to repoint to various compromised servers. Enable a MITM for a few seconds, redirect some traffic to a compromised box, turn off MITM. Very difficult to see/catch the MITM happening if its only there for a few seconds, and the results (the redirected miners) will continue happily along for a while.
Check this out:
https://bitcointalk.org/index.php?topic=434464.msg5848594#msg5848594It seems that Betarigs miners are having similar problem with stratum reconnect/hi-jacking?