Ask HN: Why am I getting probing traffic with “binance.com” as referrer?

19 points by drakonka ↗ HN
I get a lot of bot traffic to various potentially sensitive endpoints on my blog. Stuff like Wordpress admin or other endpoints that could allow a site to be compromised if they existed. It's really common so that part doesn't surprise me, but I noticed I get quite a bit of this traffic with "binance.com" listed as the referrer and got curious.

My first thought was that someone is spoofing the referrer. I don't know much about crypto exchanges, but it seems like Binance is a pretty "legit" one, which is what made me think they're not sending this traffic (plus, who would do this and leave their actual referrer exposed?). I thought maybe it's a homoglyph phishing attempt, but it seems to just be the legit binance domain string.

I'm curious why anyone would choose to spoof this domain specifically? Most of these bots report no referrer, a few report google or bing. What may be the motivation for using the binance domain?

13 comments

[ 3.7 ms ] story [ 49.2 ms ] thread
I've seen the referer field used to advertise the websites. So maybe some crypto-kiddie is just blasting these things like handing out flyers on the sidewalk. Or someone just took a bot (maybe a bot that DDoSes binance.com?) and forgot to change the referer.
Is it the binance.com root domain? That would be pretty weird indeed.
Yes, it is the root domain. Wasn't sure if there might be some other reason for them picking Binance specifically or if it's just some crypto enthusiast messing around. The latter seems like it might be the likeliest explanation based on the replies so far.
(comment deleted)
I have seen this as well.
Have you checked the IP address of the traffic. If it is a VPN some crypto kiddie playing with tools. If it is binance property i would be surprised.
Yup, all IPs are suspected to be VPNs.
Does it have referral link included? (as earn when someone signs up). If Binance is even offering it, I'm not sure. But referral spam is very popular, the idea is you to check out the pages.
No, it is just "binance.com". I have seen others use this method of advertising, but in that case they seem to always send traffic to the home page or specific posts/pages. Probing sensitive endpoints like a malicious actor would seem like a strange approach.
No http/https? Or trailing slash?
No, just the string "binance.com".
Yeah, that's definitely someone doing strange things, possibly because they're strange.

And then copying/sharing software that does strange things.

It's simulated spam by competitors to defame that website.