The spoofer can obtain a valid certificate for another, seemingly legitimate site. Any software that hasn't explicitly pinned the leaf TLS certificates will still accept the (valid) certificate it is redirected to.

And sadly, a lot of software still doesn't perform certificate pinning.

How is this redirect performed?

When a URL is manually typed in, and HSTS or HSTS-preloading isn't enabled, the initial 301 redirect would be http.

It could just be a 3xx redirect over clear http, right? The http site can redirect to a https site with a similar name.