Oracle identifies new KissFraud context spoofing scheme attached to video piracy websites

April 15, 2022 | 4 minute read
Sam Mansour
Principal Product Manager for Moat Analytics
Text Size 100%:

Much of the fight against ad fraud is devoted to botnets because they are so prevalent and often easy to identify with the right safety measures in place. But ad fraud dangers—and the risk of invalid traffic (IVT)—go far beyond botnets. In fact, identifying – and eliminating – dangerous ad environments is often a much more complex process than finding a single bad actor tethered to thousands of servers, creating havoc across the Internet.

One of the most dangerous forms of ad fraud is context spoofing. This tactic, which is also referred to as content injection, is used by hackers to inject malicious content into a web application, delivering the end user with counterfeit content that is being directed by the bad actor. Instead of IVT being attached to a system of botnets creating unsafe ad impressions, the invalid traffic is generated by actual humans. According to the Open Web Application Security Project (, “The attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and user’s trust.” 

KissFraud: The latest context spoofing ad fraud scheme found by Oracle

The ramifications of context spoofing can be disastrous for advertisers, potentially harming their brand reputation while costing them millions of dollars in wasted ad spend. Because it presents so many dangers for advertisers, the Oracle Moat IVT team has been relentless in its efforts to identify and eliminate context spoofing at all costs. In 2021, the team discovered the manga scheme that leveraged domain misdirection tactics and context spoofing to commit blatant ad fraud and subvert brand safety measures.

The Oracle Moat IVT team has once again identified a new context spoofing called KissFraud. This latest ad fraud scheme misrepresents users watching pirated video content as consumers of innocuous news sites. (The name of the scheme is based on the malicious pirating video sites kisscenter[.]net, ksnews[.]me and kissorg[.]net where the ad fraud was discovered.) The deceptive nature of the KissFraud scheme dupes advertisers into believing their ad impressions are occurring on brand safe news sites, when in fact their ads are being served up on malicious websites that host pirated video content.

Read Oracle Lab’s Technical Insights on the KissFraud Context Spoofing Scheme.

How the KissFraud Scheme Works

With the help of the Parallel Graph AnalytiX (PGX) team and Oracle Labs researchers, Oracle Moat IVT team members discovered the KissFraud scheme by using Oracle’s patented Graph Machine Learning techniques available in Oracle’s Graph Database with a focus on Explainable Representation Learning. This technology enabled them to identify the highly elaborate context spoofing tactic that effectively masks malicious content sources—in this case websites that host pirated video content. 

Here’s how the KissFraud scheme works:

The “cashout” or “ghost site” (a malicious website with counterfeit content created specifically for ad fraud purposes) checks for the presence of a cookie that indicates a user came from the website hosting the pirated video content. If a cookie is found, then the pirated video content is served to the user along with the ads coming from one of the “cashout” site domains.

This is an example of one of the “cashout” sites identified in the KissFraud scheme and what is shown if a cookie is found:

This is an example of what the user sees if a cookie is not found (a generic looking news site):