News

Sri Lanka Cricket (SLC) is likely to have been the target of hackers using a Hong Kong-based shell company to perpetrate international wire transfer fraud in a textbook case of “business email compromise” (BEC), an investigation by the Sunday Times shows. Last month, SLC’s Chief Financial Officer (CFO) Piyal Dissanayake was sent on compulsory leave pending inquiry into allegations that he instructed Sony Pictures Networks India (Pvt) Ltd to transfer US$ 5.5mn to an account Hang Seng Bank in Hong Kong. The account is in the name of an entity called Fanya Silu Co Ltd. He allegedly used his official email account.

The payment authorisation letter also said that around Rs 93.3mn would be further credited automatically to an account at the Banamex Bank in Mexico.
This is an electronic wire transfer where the money is sent to the final beneficiary’s bank account via an intermediary bank.

The money was Sony’s outstanding payments to SLC for television broadcast rights. These had been held up over issues Sony was facing with India’s tax regulator.
The attempted fraud came to light when Sony queried why it was required to deposit money in an account of Fanya Silu Co and not Sri Lanka Cricket. The sports body quickly suspended the instructions and the Criminal Investigation Department (CID) was assigned the case while Ernest & Young was enlisted to carry out a comprehensive audit on SLC’s broadcast earnings.

It was also found that Sony had earlier remitted a separate sum of USD 187,000 (Rs 32mn) to an offshore account, allegedly on the CFO’s instructions.
This is thought to have been a dry run. The smaller amount was for Sri Lanka’s tour of South Africa while the larger sum was for the ongoing England tour of Sri Lanka.

But SLC has not assigned the matter to cyber security experts–such as the national Sri Lanka CERT/CC (Computer Emergency Readiness Team/Co-ordination Centre) or the private sector TechCERT–despite the attempted crime having multiple characteristics of international wire transfer fraud.

This year alone, Sri Lanka CERT handled 10 similar cases in the country, said Roshan Indragupta, Senior Information Security Engineer. Last year, there were 33 while in 2016 there were 16. Among those affected are large corporations doing business with foreign clients. All involved business email scams.

A business email compromise is an exploit in which “the attacker gains access to a corporate email account and spoofs the owner’s identity to defraud the company or its employees, customers or partners of money. In some cases, an attacker simply creates an account with an email address that is similar to one on the corporate network”. These features and several others are clear in the SLC case.

In some instances, the wire transfers went through, Mr Indraguta said. In others, the targets became suspicious and initiated a process of verification which prompted them to halt payment and contact cyber security experts. There could be others who did not seek expert service but reported directly to the CID and police.

Mr Dissanayake, the FCO, upon questioning has maintained that his email was hacked. However, this has been dismissed by the SLC’s IT division which says it has strong controls (Office 365 login).

The Sunday Times dug into the Hong Kong business registry to gather more information about Fanya Silu Co Ltd. According to the Chinese language records (translated with assistance from investigative journalists in Hong Kong), the company was formed on September 27, 2017, by a 38-year-old Chinese national called Zhang Xiaoming. He was the only founder member and director and is from a small county in the Gansu Province. The name Zhang Xiaoming is widespread in China.

In September this year, Mr Zhang resigned and the company appointed Tamara Sanchez Baurdet as the new director. She holds a Spanish passport and the address she has provided the business registry is Avenida del Garraf, 12, 1A Vilafranca del Penedes, Barcelona. But it was she who handed over the information to the company registry in Hong Kong and the document lists her address there as Flat 2814 Block 8, Ming Kum Road, Tuen Mun, NT, which is public rental housing.

A further search of the business directory showed that Sanchez Baurdet is a director of no fewer than 300 companies registered in Hong Kong (and at least one in Poland. This is called Wing Lok Trading. Wing Lok is also a street in Hong Kong). All of them were formed in recent years and around the same period. Investigative journalists in Hong Kong said she could be a proxy or merely an avenue to register companies, earning an income from sitting as a director.

Another possibility is that Mr Zhang sold off the shell to Sanchez Baurdet, they said, adding that it was common business in Hong Kong to trade in such companies. The territory has thousands of shell companies, some of which are used to get money in and out of China.

Interestingly, Mr Zhang resigned from Fanya Silu Co one day before the payment authorisation letter was allegedly sent by Mr Dissanayake to Sony Pictures (it was dated September 4, 2018). This could have been to avoid liability in case the wire transfer came through. But while the business registry document says he resigned, it does not mean he is not still the beneficial owner.

The letter sent to Sony with instructions to transfer US$ 5,564,404.50 to the account of Fanya Silu Co in Hangseng Bank Hong Kong contains multiple grammatical and syntax errors. Meanwhile, several emails purportedly sent from Mr Dissanayake’s email address (hofinance@srilankacricket.lk) are copied to similarly named email addresses belonging to the SLC’s Chief Operating Officer Jerome Jayaratne and CEO Ashley de Silva. But instead of coo@srilankacricket.lk or ashley@srilankacricket.lk, the addresses are coo@srilankacricket.us and ashley@srilankacricket.us.

The ‘srilankacricket.us’ domain is registered to a user named Sunil Shahzad whose address is Office #26, Arfa Tower, Gulberg III in Lahore, Punjab, Pakistan. It was created in August this year.

The SLC case involves shell companies, at least two bank accounts and hard-to-trace individuals in several jurisdictions. It is also likely that other email accounts at SLC have been compromised. But the sporting body maintains that Mr Dissanayake is directly involved. This is because the emails pertaining to the transactions–including the questionable ones–were sent from his hofinace@srilankacricket.lk account and not a srilankacricket.us account, they claim. It was not possible to independently verify this.

The SLC also acknowledges that some emails had originated from another IP address. But it claims that the CFO could have done it to “pretend to be hacked” by the use of a proxy site. The SLC also says a hacker cannot stage a “middleman attack” on a particular email address for months without it being noticed. It was not possible to independently verify the time period being referred to.

The sporting body says it also recovered emails that were “hard deleted”–indicating that Mr Dissanayake may have tried to erase traces from the system. The primary investigation by SLC shows there was no hacking, an internal source said, adding that the CID’s cyber crime division has been given the task now.

Dramatic increase in email wire frauds A recent “dramatic increase” in email wire frauds perpetrated against companies worldwide with funds being wired to accounts in Asian banks in Hong Kong and mainland China has been widely flagged on the internet. The US Federal Bureau of Investigation (FBI) has reported that between October 2013 and February 2016, there were 17,642 victims resulting in US$ 2.3bn in losses. This is a 270 percent increased in identified victims and exposed loss since January 2015. The global law firm Dorsey and Whitney LLP say the figures “probably understate the dimensions of the problem”. “The BEC scams are occurring at an alarming rate and even large sophisticated companies are falling victim,” it states, in a report. Among the clues to look out for are: “email addresses from a known person which are from a different or unusual email account, bearing in mind that difficult-to-detect changes can be made to a legitimate e-mail address; and emails with unusually poor spelling and grammar.” Emails can be compromised even with protections such as Office 365 Login because the end user is “human”, said Roshan Indragupta, Senior Information Security Engineer at Sri Lanka CERT. The attacks are usually through targeted phishing emails or “spear fishing” attacks. “They happen mostly due to the lack of awareness of the user,” he explained “All of a sudden, when they ready to place orders and pay the money, they receive an email requesting them to deposit it to a different account,’ he said, saying similar frauds were reported in the past three years targeting businesses doing transactions with foreign parties. There have been instances where hackers have changed the settings so that emails sent to a particular account are copied to the hacker’s email account so that he or she is aware of the conversations and transactions taking place. “A hacker can change the settings–and, in some cases, this has happened –so that he can intercept the reply of a business partner overseas or send emails without the account owner knowing it,” Mr Indragupta said. “In this way, a third party will get to know exactly what is going on.”

Floods no bar to liquor shops

UDA to lease out underutilised land

Bigger role for private sector in Govt.’s building projects

Many essential drugs being withdrawn from Sri Lanka

Rs. 2.1 billion asked for mystery school uniform order

Concrete elevated highway from Kelanitissa to Galle Face

Indian assistance for 1,200 houses in Hambantota

Largest Uni auditorium, courtesy India

Tamil activists move to involve Sri Lanka in London arrests

SLAF’s Air Symposium 2018 on October 18-19

No provision to accept Submissions as a sealed document: Magistrate

Notice re-issued in RADA case

Adulterated palm oil: Counsel turns petitioner after client withdraws case

Safety of undersea cables vital for interconnected world: PM

Aviation expert highlights more issues at Ratmalana Airport following ST story

Court orders to resume investigations against Ravi K.

Posthumous publication of Hemantha’s articles

Unpaid millions pile up on Colombo mayor’s doorstep

Ex-cop arrested for selling drugs to schoolchildren

Former MP Duminda Silva and 3 others guilty as charged, rules Apex Court

Justice Nalin Perera sworn in as 46th Chief Justice

Rs. 2.1 billion asked for mystery school uniform order

Loco motives behind train fare hike

Cybercrimes: Financial fraudsters are becoming increasingly innovative

Fishermen say industry is drowning but fisheries chief denies charges

Weather improves, but landslide warnings yet for Galle and Kalutara districts

Why motorists are bumping along Colombo roads at snail’s pace

Vaccination, the way forward to a healthy country

Roads must be converted into safe spaces for citizens

Whether President, PM appear or not, Tissa Attanayake case will go on

Group searches ways to end elephant carnage on rail tracks

Pick of the Pix

A closer look at COBRA

‘Rescue’ of wild cat babies backfires

Urban flooding

Homeless ask why no land for housing but plenty for business

Mihin Lanka never filed Performance Reports despite repeated reminders