Better to make it deterministic, eg. display a fake success page whenever sha1('salt'+login+password) has two leading zeros.
That way you can easily control the fake success rate, and you make sure that if the attacker realises they are being tricked, they can't just retry successful logins to double check, since they get the same result every time.
These suggestions sound good but the real challenge will be to reliably detect fake logins to not suddently and accidentally mess with your real users..
Easy. Set it up just like a honeypot. Except that instead of being a sticky honeypot, it's poisoned honey they get.
OP mentioned the attack is easily identified so legitimate traffic gets served correctly bad traffic gets "logged in" to the poisoned honeypot. 301 after login perhaps
That way you can easily control the fake success rate, and you make sure that if the attacker realises they are being tricked, they can't just retry successful logins to double check, since they get the same result every time.