Summary
A spoofed China UnionPay SMS directed the victim to https://up.cnpayglobal.com/ shortly after a payment activity near Ginza, Tokyo. The site collected card verification data and SMS OTP material. Bank messages later showed an attempted CNY 11,987.95 online payment.
The verification-code request remained in a loading state for approximately one to two minutes. This is consistent with live relay or operator-assisted fraud, but the downstream purchase workflow remains an investigative hypothesis.
Findings
- The lure domain
cnpayglobal.comwas registered on 2026-05-05. - The phishing form requested CVV/CVN2, expiration date, phone number, and SMS verification code.
- The page exposed a non-functional English option, supporting a target profile of Chinese-speaking UnionPay users in Japan.
- The phishing site showed characteristics consistent with a Vite.js-built web application.
- Related hosts cluster on
104.225.145.101, associated with IT7 Networks Inc / AS25820.
Primary Indicators
| Type | Indicator | Context |
|---|---|---|
| URL | https://up.cnpayglobal.com/ |
Primary SMS phishing destination |
| Domain | cnpayglobal.com |
NameSilo registration, DNSOWL nameservers |
| IP | 104.225.145.101 |
Observed hosting IP for related assets |
| ASN | AS25820 |
IT7 Networks Inc |
| Framework | Vite.js | Observed web build fingerprint |
Evidence
Actions Already Taken
The domain cnpayglobal.com has been reported to NameSilo with a request to suspend DNS resolution. The incident has also been submitted to Verisign as the .com registry, and the AS25820 / IT7 Networks abuse contact identified through RDAP has been contacted.
中文摘要
本页为完整中英文 PDF 调查报告的网页摘要。事件涉及仿冒“中国银联”的短信钓鱼,诱导受害人访问 https://up.cnpayglobal.com/,并收集银行卡验证信息和短信验证码。
页面“获取验证码”步骤约停留 1 至 2 分钟,疑似实时中继或人工辅助流程;该判断仍为调查假设。页面右上角 English 按钮点击无效,结合中文短信和银联主题页面,支持该活动主要面向在日本的中文用户或中国银联持卡人。