SLC wire transfer fraud: Likely target of hackers
Sri Lanka Cricket (SLC) is likely to have been the target of hackers using a Hong Kong-based shell company to perpetrate international wire transfer fraud in a textbook case of “business email compromise” (BEC), an investigation by the Sunday Times shows.
Last month, SLC’s Chief Financial Officer (CFO) Piyal Dissanayake was sent on compulsory leave pending inquiry into allegations that he instructed Sony Pictures Networks India (Pvt) Ltd to transfer US$ 5.5mn to an account Hang Seng Bank in Hong Kong. The account is in the name of an entity called Fanya Silu Co Ltd. He allegedly used his official email account.
The payment authorisation letter also said that around Rs 93.3mn would be further credited automatically to an account at the Banamex Bank in Mexico.
This is an electronic wire transfer where the money is sent to the final beneficiary's bank account via an intermediary bank.
The money was Sony’s outstanding payments to SLC for television broadcast rights. These had been held up over issues Sony was facing with India’s tax regulator.
The attempted fraud came to light when Sony queried why it was required to deposit money in an account of Fanya Silu Co and not Sri Lanka Cricket. The sports body quickly suspended the instructions and the Criminal Investigation Department (CID) was assigned the case while Ernest & Young was enlisted to carry out a comprehensive audit on SLC’s broadcast earnings.
It was also found that Sony had earlier remitted a separate sum of USD 187,000 ( Rs 32mn) to an offshore account, allegedly on the CFO’s instructions.
This is thought to have been a dry run. The smaller amount was for Sri Lanka’s tour of South Africa while the larger sum was for the ongoing England tour of Sri Lanka.
But SLC has not assigned the matter to cyber security experts--such as the national Sri Lanka CERT/CC (Computer Emergency Readiness Team/Co-ordination Centre) or the private sector TechCERT--despite the attempted crime having multiple characteristics of international wire transfer fraud.
This year alone, Sri Lanka CERT handled 10 similar cases in the country, said Roshan Indragupta, Senior Information Security Engineer. Last year, there were 33 while in 2016 there were 16. Among those affected are large corporations doing business with foreign clients. All involved business email scams.
A business email compromise is an exploit in which “the attacker gains access to a corporate email account and spoofs the owner’s identity to defraud the company or its employees, customers or partners of money. In some cases, an attacker simply creates an account with an email address that is similar to one on the corporate network”. These features and several others are clear in the SLC case.
In some instances, the wire transfers went through, Mr Indraguta said. In others, the targets became suspicious and initiated a process of verification which prompted them to halt payment and contact cyber security experts. There could be others who did not seek expert service but reported directly to the CID and police.
Mr Dissanayake, the FCO, upon questioning has maintained that his email was hacked. However, this has been dismissed by the SLC’s IT division which says it has strong controls (Office 365 login).
The Sunday Times dug into the Hong Kong business registry to gather more information about Fanya Silu Co Ltd. According to the Chinese language records (translated with assistance from investigative journalists in Hong Kong), the company was formed on September 27, 2017, by a 38- year- old Chinese national called Zhang Xiaoming. He was the only founder member and director and is from a small county in the Gansu Province. The name Zhang Xiaoming is widespread in China.
In September this year, Mr Zhang resigned and the company appointed Tamara Sanchez Baurdet as the new director. She holds a Spanish passport and the address she has provided the business registry is Avenida del Garraf, 12, 1A Vilafranca del Penedes, Barcelona. But it was she who handed over the information to the company registry in Hong Kong and the document lists her address there as Flat 2814 Block 8, Ming Kum Road, Tuen Mun, NT, which is public rental
housing.
A further search of the business directory showed that Sanchez Baurdet is a director of no fewer than 300 companies registered in Hong Kong ( and at least one in Poland. This is called Wing Lok Trading. Wing Lok is also a street in Hong Kong). All of them were formed in recent years and around the same period. Investigative journalists in Hong Kong said she could be a proxy or merely an avenue to register companies, earning an income from sitting as a director.
Another possibility is that Mr Zhang sold off the shell to Sanchez Baurdet, they said, adding that it was common business in Hong Kong to trade in such companies. The territory has thousands of shell companies, some of which are used to get money in and out of China.
Interestingly, Mr Zhang resigned from Fanya Silu Co one day before the payment authorisation letter was allegedly sent by Mr Dissanayake to Sony Pictures ( it was dated September 4, 2018). This could have been to avoid liability in case the wire transfer came through. But while the business registry document says he resigned, it does not mean he is not still the beneficial owner.
The letter sent to Sony with instructions to transfer US$ 5,564,404.50 to the account of Fanya Silu Co in Hangseng Bank Hong Kong contains multiple grammatical and syntax errors. Meanwhile, several emails purportedly sent from Mr Dissanayake’s email address (hofinance@srilankacricket.lk) are copied to similarly named email addresses belonging to the SLC's Chief Operating Officer Jerome Jayaratne and CEO Ashley
de Silva. But instead of coo@ srilankacricket.lk or ashley@srilankacricket.lk, the addresses are coo@ srilankacricket.us and ashley@srilankacricket.us.
The ‘srilankacricket.us’ domain is registered to a user named Sunil Shahzad whose address is Office # 26, Arfa Tower, Gulberg III in Lahore, Punjab, Pakistan. It was created in August this year.
The SLC case involves shell companies, at least two bank accounts and hard-to-trace individuals in several jurisdictions. It is also likely that other email accounts at SLC have been compromised. But the sporting body maintains that Mr Dissanayake is directly involved. This is because the emails pertaining to the transactions--including the questionable ones--were sent from his hofinace@ srilankacricket. lk account and not a srilankacricket.us account, they claim. It was not possible to independently verify this.
The SLC also acknowledges that some emails had originated from another IP address. But it claims that the CFO could have done it to “pretend to be hacked” by the use of a proxy site. The SLC also says a hacker cannot stage a “middleman attack” on a particular email address for months without it being noticed. It was not possible to independently verify the time period being referred to.
The sporting body says it also recovered emails that were “hard deleted”-- indicating that Mr Dissanayake may have tried to erase traces from the system. The primary investigation by SLC shows there was no hacking, an internal source said, adding that the CID’s cyber crime division has been given the task now.