The only reason I can think of for a redirect rather than just a hijacking is to allow him to repoint to various compromised servers. Enable a MITM for a few seconds, redirect some traffic to a compromised box, turn off MITM. Very difficult to see/catch the MITM happening if its only there for a few seconds, and the results (the redirected miners) will continue happily along for a while.
If he is only sending outgoing client.reconnect message packets to miners, and not rewriting incoming mining.authorize packets from miners, then the rogue stratum server to which he is redirecting hashpower is receiving the original user/pass, or in the case of wafflepool, the original btc address, and ignoring it -- which would mean it is completely under his control.
[changed my mind about this middle part of the post that I removed, and if you saw it then please note that a true mitm could circumvent all of my suggestions originally contained within]
For now, anyone downloading the miner code directly from github can change the client.reconnect command message text string to something else prior to compilation in order to insulate yourself from this current problem.
