Why am I getting probing traffic with “binance.com” as referrer?

Question

I get a lot of bot traffic to various potentially sensitive endpoints on my blog. Stuff like Wordpress admin or other endpoints that could allow a site to be compromised if they existed. It's really common so that part doesn't surprise me, but I noticed I get quite a bit of this traffic with "binance.com" listed as the referrer and got curious.My first thought was that someone is spoofing the referrer. I don't know much about crypto exchanges, but it seems like Binance is a pretty "legit" one, which is what made me think they're not sending this traffic (plus, who would do this and leave their actual referrer exposed?). I thought maybe it's a homoglyph phishing attempt, but it seems to just be the legit binance domain string.I'm curious why anyone would choose to spoof this domain specifically? Most of these bots report no referrer, a few report google or bing. What may be the motivation for using the binance domain?

netsharc · Accepted Answer

I've seen the referer field used to advertise the websites. So maybe some crypto-kiddie is just blasting these things like handing out flyers on the sidewalk. Or someone just took a bot (maybe a bot that DDoSes binance.com?) and forgot to change the referer.

Dma54rhs · Answer

Does it have referral link included? (as earn when someone signs up). If Binance is even offering it, I'm not sure. But referral spam is very popular, the idea is you to check out the pages.

vivekv · Answer

Have you checked the IP address of the traffic. If it is a VPN some crypto kiddie playing with tools. If it is binance property i would be surprised.

Mo3 · Answer

Is it the binance.com root domain? That would be pretty weird indeed.

gue-ni · Answer

I have seen this as well.