1. Abstract摘要

This report documents a high-confidence payment-card phishing incident in which SMS messages impersonating China UnionPay directed the victim to https://up.cnpayglobal.com/. The incident occurred shortly after a payment activity near 〒104-0061 Tokyo, Chuo City, Ginza, 3 Chome-3-13, at approximately 35.6728586, 139.7624018. The fraudulent site collected payment-card verification data and SMS one-time passwords; subsequent banking notifications recorded an attempted online payment of CNY 11,987.95.

本报告记录一起高置信度的银行卡钓鱼事件。攻击者通过仿冒“中国银联”的短信，引导受害人访问 https://up.cnpayglobal.com/。事件发生于受害人在日本〒104-0061 东京都中央区银座 3 丁目 3-13 附近消费之后，坐标约为 35.6728586, 139.7624018。钓鱼网站收集持卡人验证资料和短信一次性验证码；随后，银行通知记录了一笔人民币 11,987.95 元的网上支付尝试。

Technical investigation links the observed lure domain and related infrastructure to a cluster hosted on 104.225.145.101, associated with IT7 Networks Inc. and AS25820. The phishing site additionally presents implementation characteristics consistent with a Vite.js-built web application. RDAP records show consistent use of NameSilo, DNSOWL nameservers, and PrivacyGuardian privacy protection across the cluster.

技术分析显示，已观察到的诱导域名及关联基础设施属于托管在 104.225.145.101 的域名集群，该 IP 与 IT7 Networks Inc 和 AS25820 相关。钓鱼网站还呈现出与 Vite.js 构建的 Web 应用一致的实现特征。RDAP 记录显示，该域名集群普遍使用 NameSilo 注册商、DNSOWL 域名服务器和 PrivacyGuardian 隐私保护服务。

Keywords
phishing · UnionPay impersonation · SMS spoofing · payment-card fraud · RDAP · NameSilo · AS25820

关键词
钓鱼攻击 · 仿冒中国银联 · 短信发件人伪造 · 银行卡欺诈 · RDAP · NameSilo · AS25820

2. Incident Overview事件概述

Shortly after a payment activity near 〒104-0061 Tokyo, Chuo City, Ginza, 3 Chome-3-13, the victim received SMS messages impersonating China UnionPay. The message claimed that the victim's overseas payment capability had been disabled and instructed re-authentication through https://up.cnpayglobal.com/. The destination presented a UnionPay-themed card authentication interface and requested sensitive cardholder information, including card number, CVV/CVN2, expiration date, mobile telephone number, and SMS verification code.

受害人在日本〒104-0061 东京都中央区银座 3 丁目 3-13 附近消费后不久，收到仿冒“中国银联”的短信。短信声称受害人的银行卡境外支付功能已关闭，并要求通过 https://up.cnpayglobal.com/ 重新认证。目标网站展示仿银联的银行卡认证界面，并要求填写银行卡号、CVV/CVN2、有效期、手机号和短信验证码等敏感信息。

Following selection of the verification-code function, the page remained in a loading state for approximately one to two minutes. This delay is consistent with a live-relay or operator-assisted fraud workflow. One plausible hypothesis is that the backend operators were manually entering the submitted card details into a downstream purchase flow, such as airline-ticket or hotel bookings sometimes associated with low-price proxy-purchase fraud. This is an inference from the observed behaviour and subsequent bank payment SMS, not direct proof of the downstream merchant or purchase category.

受害人点击获取验证码后，页面保持加载或转圈状态约 1 至 2 分钟。该延迟符合实时中继或人工介入欺诈流程的特征。一种合理的调查假设是，后台操作人员可能正在将受害人提交的银行卡信息手动输入到下游消费流程中，例如机票或酒店订单；这类流程也可能与常见的低价机票、酒店代购欺诈相关。该判断基于页面行为和随后出现的银行支付验证短信，并不能直接证明具体下游商户或消费类别。

The phishing interface displayed an English option in the upper-right corner, but clicking it had no effect. The non-functional language switch, combined with the Chinese-language SMS lure and UnionPay-themed page content, supports the assessment that the campaign primarily targeted Chinese-speaking UnionPay cardholders physically present in Japan. The timing, location, and spoofed sender identity are also consistent with suspected SMS sender spoofing or pseudo-base-station activity; this remains an inference based on victim-side evidence pending carrier-side records.

钓鱼页面右上角显示 English 选项，但受害人观察到点击无效。结合中文短信诱导、银联主题页面和中文交互流程，该特征支持本次活动主要面向身处日本的中文银联持卡人。短信发件人标识被仿冒，且事件与银座现场消费在时间和地点上高度相关，因此符合短信发件人伪造或伪基站活动的特征；该判断仍属于基于受害人侧证据的推断，若要最终确认短信投递机制，需要运营商侧日志或执法机关调取的电信记录。

The one-to-two-minute verification-code delay is consistent with live relay or operator-assisted fraud; the precise downstream purchase workflow remains an investigative hypothesis pending corroborating telemetry from the card issuer.

获取验证码后出现的 1 至 2 分钟加载延迟符合实时中继或人工介入欺诈流程的特征；具体的下游消费流程仍属调查假设，需要发卡机构侧数据进一步印证。

3. Documentary Evidence证据材料

The following screenshots constitute primary victim-side evidence, documenting the SMS lure, bank verification messages, phishing landing page, and credential collection form.

以下截图为主要受害人端证据，分别记录诱导短信、银行支付验证短信、钓鱼落地页和银行卡信息采集表单。

4. Attack Chain Analysis攻击链分析

1. The victim completed a payment activity near 〒104-0061 Tokyo, Chuo City, Ginza, 3 Chome-3-13.
2. The victim received SMS messages impersonating China UnionPay.
3. The SMS messages directed the victim to https://up.cnpayglobal.com/.
4. The phishing page requested full card verification data and SMS OTP.
5. The verification-code request remained in a loading state for approximately one to two minutes, suggesting possible live relay or operator-assisted backend interaction with a real payment workflow.
6. A plausible investigative hypothesis is that the submitted card details were being manually used for downstream purchases, such as airline-ticket or hotel bookings; this has not been independently confirmed.
7. The upper-right English option on the phishing page was non-functional, suggesting the workflow was designed primarily for Chinese-speaking users in Japan.
8. The victim received bank verification messages for an attempted CNY 11,987.95 online payment.
9. The victim identified the website as phishing and reported it to the registrar, registry, and hosting network.

1. 受害人在日本〒104-0061 东京都中央区银座 3 丁目 3-13 附近完成消费。
2. 受害人收到仿冒中国银联的短信。
3. 短信诱导受害人访问 https://up.cnpayglobal.com/。
4. 钓鱼页面要求输入完整的银行卡验证资料和短信一次性验证码。
5. 获取验证码后页面加载约 1 至 2 分钟，提示攻击者可能在后台实时中继或人工对接真实支付流程。
6. 一种合理的调查假设是，提交的银行卡信息被人工用于下游消费，例如机票或酒店订单；该点尚未得到独立证实。
7. 钓鱼页面右上角 English 按钮点击无效，说明该流程更可能主要面向在日本的中文银联持卡人。
8. 受害人随后收到银行短信，提示一笔人民币 11,987.95 元的网上支付验证请求。
9. 受害人确认该网站为钓鱼网站，并已向注册商、注册局和托管网络举报。

5. Infrastructure Indicators基础设施指标

5.1 Primary indicators of compromise5.1 主要失陷指标

5.2 Related infrastructure on 104.225.145.1015.2 104.225.145.101 上的关联基础设施

FOFA-derived asset data identifies a cluster of similarly themed "Bank Card Authentication" hosts colocated on the same IP address.

FOFA 资产数据识别出一组部署在同一 IP 地址上的相似“银行卡认证”站点。

6. RDAP and WHOIS FindingsRDAP 与 WHOIS 查询结果

Registry dates below are based on Verisign RDAP unless otherwise noted. Registrar-side dates may differ by one calendar day, as NameSilo reports normalized registrar dates separately from the Verisign timestamp.

下表中的注册时间主要依据 Verisign 注册局 RDAP；除非另有说明，均以该数据为准。NameSilo 注册商侧日期可能相差一个自然日，因为 NameSilo 会单独展示归一化后的注册商侧日期，而 Verisign 返回的是精确 UTC 时间戳。

6.1 Domain RDAP summary6.1 域名 RDAP 摘要

6.2 Common registrar and DNS pattern6.2 注册商与 DNS 共性

6.3 Hosting RDAP — 104.225.145.1016.3 托管网络 RDAP — 104.225.145.101

6.4 Hosting RDAP — AS258206.4 托管网络 RDAP — AS25820

7. Assessment分析结论

This incident is assessed as a high-confidence UnionPay-themed payment-card phishing campaign. The conclusion is supported by the following observations:

综合判断，该事件属于高置信度的仿冒中国银联银行卡钓鱼活动。主要依据如下：

1. The SMS impersonates China UnionPay and directs the victim to a non-official, newly registered domain.
2. cnpayglobal.com was registered on 2026-05-05, matching the incident window.
3. The phishing page solicits CVV/CVN2, expiration date, telephone number, and SMS verification code.
4. A real bank payment verification SMS for CNY 11,987.95 followed the interaction.
5. The one-to-two-minute verification-code delay is consistent with a live-relay workflow and may indicate operator-assisted downstream purchase attempts.
6. The non-functional English option and Chinese-language interaction path support a target profile of Chinese-speaking UnionPay users in Japan.
7. The site appears to have been implemented as a Vite.js-built web application, providing a useful technical fingerprint for log searches, file-system triage, and related-site clustering.
8. FOFA asset data identifies many similarly themed "Bank Card Authentication" hosts on the same IP address.
9. RDAP records demonstrate strong infrastructure overlap across registrar, DNS provider, privacy service, and hosting IP.
10. Several related domains already show client hold, suggesting prior abuse handling or takedown activity against the same cluster.

1. 短信仿冒中国银联，并诱导受害人访问非官方且新近注册的域名。
2. cnpayglobal.com 注册于 2026-05-05，与事件时间窗口一致。
3. 钓鱼页面要求输入 CVV/CVN2、有效期、手机号和短信验证码。
4. 页面交互后出现真实的人民币 11,987.95 元银行支付验证短信。
5. 获取验证码后的 1 至 2 分钟加载延迟符合实时中继流程特征，也可能指向人工介入的下游消费尝试。
6. English 按钮无效且主要交互路径为中文，支持“目标群体为身处日本的中文银联持卡人”这一画像。
7. 钓鱼网站疑似使用 Vite.js 构建，该技术指纹可用于日志检索、文件系统排查和关联站点聚类。
8. FOFA 资产数据显示，同一 IP 上存在多个“银行卡认证”主题相似站点。
9. RDAP 记录显示注册商、DNS 服务商、隐私保护服务和托管 IP 存在高度重合。
10. 多个关联域名查询时已处于 client hold 状态，说明同一集群可能已触发既往滥用处置或下架流程。

8. Actions Already Taken已采取行动

The domain cnpayglobal.com has been reported to NameSilo with a request for suspension of all DNS resolution. The matter has further been submitted to Verisign in its capacity as the .com registry, and the AS25820 / IT7 Networks abuse contact identified through RDAP has been notified.

受害人已经向 NameSilo 举报 cnpayglobal.com，并要求暂停其全部 DNS 解析。该事件也已提交给作为 .com 注册局的 Verisign。受害人还通过 RDAP 查询到的 AS25820 / IT7 Networks 滥用举报联系方式提交了通知。

9. Current Status当前状态

The following table records the response status of each notified party as of the most recent update. This section will be revised as further responses are received.

下表记录截至最近一次更新时，各已通知相关方的响应状态。后续收到回复后，本节将继续修订。

NameSilo's ClientHold action removes the lure domain from DNS resolution but does not affect the underlying hosting infrastructure or related domains within the cluster. Sustained takedown still requires action from the hosting network and from the registry against the broader domain set.

NameSilo 设置的 ClientHold 仅会将该诱导域名从 DNS 解析中移除，不影响底层托管基础设施或集群内的其他关联域名。若要实现持续下架，仍需托管网络处理钓鱼内容，并由注册局对更大范围的相关域名集采取行动。

10. Recommended Actions建议后续行动

Registrar & registry. NameSilo and Verisign should be requested to apply client hold or an equivalent suspension to cnpayglobal.com, review and suspend related domains, preserve registration / account / DNS logs, correlate PrivacyGuardian and NameSilo account metadata, and search for additional domains registered through the same account, payment method, login-IP history, or privacy profile.

注册商与注册局。建议要求 NameSilo 和 Verisign 对 cnpayglobal.com 施加 client hold 或等效暂停措施，复核并暂停关联域名，保全注册、账户和 DNS 日志，关联分析 PrivacyGuardian 与 NameSilo 账户元数据，并检索是否存在通过同一账户、付款方式、登录 IP 历史或隐私资料注册的更多域名。

Hosting network. IT7 Networks, Cluster Logic, and AS25820 should be requested to disable the phishing content on 104.225.145.101; preserve web-server, reverse-proxy, SSH, control-panel, operator-panel, browser-automation, and downstream order-submission logs alongside customer and payment records; identify and suspend the customer controlling the host; and search adjacent network space for similar UnionPay or overseas-payment phishing content. Because the site appears to use Vite.js, responders should also search for Vite build artifacts, hashed JS/CSS assets, source-map remnants, and deployment paths that may link this site to others.

托管网络。建议要求 IT7 Networks、Cluster Logic 和 AS25820 移除或禁用 104.225.145.101 上的钓鱼内容，保全 Web 服务器、反向代理、SSH、控制面板、操作员后台、浏览器自动化和下游订单提交流程日志，以及客户记录和付款记录；识别并暂停控制该主机的客户账户；同时排查相邻地址空间中是否存在相似的银联或境外支付钓鱼内容。由于该站点疑似使用 Vite.js 构建，处置方还应检索 Vite 构建产物、带哈希的 JavaScript 和 CSS 资源、source map 残留以及部署路径，以关联其他同源站点。

Card issuer & carrier. The exposed card should be treated as compromised if card number, CVV/CVN2, expiration date, mobile number, or OTP were entered. The card issuer should replace the card; block online, overseas, and card-not-present transactions until replacement; and preserve risk and authorization logs for the attempted CNY 11,987.95 payment, including merchant descriptors, device fingerprints, transaction-channel metadata, and any airline, hotel, or travel-merchant indicators. The mobile carrier should be asked to investigate sender spoofing or pseudo-base-station activity near the Ginza location during the relevant time window.

发卡机构与运营商。如果受害人输入过卡号、CVV/CVN2、有效期、手机号或一次性验证码，应将该银行卡视为已泄露。建议发卡机构立即换卡，在换卡前关闭线上、境外和非面对面交易能力，并保全人民币 11,987.95 元支付尝试的风控和授权日志，包括商户描述、设备指纹、交易渠道元数据，以及可能存在的机票、酒店或旅行类商户线索。同时，建议向移动运营商提交事件时间、地点和短信截图，要求调查银座附近相关时间窗口内是否存在短信发件人伪造或伪基站活动。

11. Conclusion结论

The collected SMS evidence, phishing-page screenshots, FOFA asset data, RDAP records, and Vite.js implementation fingerprint together support the conclusion that up.cnpayglobal.com and the related domains constitute coordinated payment-card phishing infrastructure impersonating China UnionPay. The one-to-two-minute verification-code delay and the non-functional English option further support a live-relay fraud workflow aimed at Chinese-speaking UnionPay cardholders in Japan. Immediate takedown, log preservation, and cross-provider correlation are warranted.

综合现有短信证据、钓鱼页面截图、FOFA 资产数据、RDAP 记录和 Vite.js 实现指纹，可以确认 up.cnpayglobal.com 及其关联域名构成一组协同运作、仿冒中国银联的银行卡钓鱼基础设施。获取验证码后的 1 至 2 分钟延迟，以及无效的 English 选项，进一步支持“面向在日本的中文银联持卡人实施实时中继式欺诈”这一判断。建议立即下架、保全日志，并由注册商、注册局、托管网络、银行和运营商进行跨服务提供方关联调查。

A. Appendix — Takedown List附录 — 下架清单

up.cnpayglobal.com
cnpayglobal.com
cn.lianhezf.com
cn.up-hwrz.com
cn.yinlianasia.com
cn.uphwzf.com
cn.yinlianworld.com
cn.jingwaizf.com
zgyinlian-zf.com
cn.uprenzheng.com
cn.upjprz.com
zhifu-oversea.com
cn.zhifu-oversea.com
104.225.145.101