A forensic audit has found that an alleged wire transfer fraud at Sri Lanka Cricket (SLC) was the result of âbusiness email compromiseâ (BEC) by hackers who attempted to siphon funds into an offshore account by infiltrating the official email accounts of SLC employees.Piyal Dissanayake, SLC Head of Finance (HoF), was sent on compulsory leave in September 2018 pending inquiry into allegations that he instructed Sony Pictures Networks India (Pvt) Ltd to transfer US$ 187,000 due for South Africaâs tour of Sri Lanka to an account in Banamex Bank, Mexico.
He also allegedly told Sony Pictures to remit a further US$ 5.5mn (the broadcast payment for the England tour of Sri Lanka) to an account in the Hang Sang Bank in Hong Kong in the name of an entity called Fanya Silu Co Ltd. This was to be credited automatically to the Banamex Bank in Mexico, by way of an electronic wire transfer where money is sent to the final beneficiaryâs bank account via an intermediary bank.
The attempted fraud came to light when Sony queried why it was required to deposit money in an account of Fanya Silu Co and not Sri Lanka Cricket. The sports body quickly suspended the instructions and the Criminal Investigation Department (CID) was assigned the case. Ernst & Young (EY) was enlisted to carry out a comprehensive audit of SLCâs broadcast earnings.
The CID has made little headway. However, the Sunday Times first reported in October 2018 that SLC was likely to have been the target of hackers using a Hong Kong-based shell company to perpetrate an international wire transfer fraud in a textbook case of BEC.
In Marchâsix months after being assigned the task of conducting a fact-based investigation on incoming proceeds related to media broadcasting rightsâEY submitted its findings to SLC. It has determined that emails, particularly containing instructions to transmit money into an offshore account that did not belong to SLC, originated from a fake Internet Protocol (IP) address. This indicates that SLCâs email accounts were hacked.
âIn the email, an invoice was attached with instructions to remit USD 187,084.75 to beneficiaryâs account (6761603874) in BBVA Compass bank in USA,â the 112-page report states. âWe noted in the trace report that the email had been sent from the HOFâs email account from IP address 41.190.3.93 (which we refer to as a fake IP address).â
The fake invoice âappears to have been modified using the âgenuineâ invoice, using âImageMagickâ a tool which enables modifying of pdf documents on 18 July 2018 but dated 17 July 2018â the report continues. The genuine invoice was dated 17 July 2018.
It states: âWe observed a deleted email in the HOFâs email account. This had been sent on 03 September 2018 to Sandeep.Patil@setindia.com and copied to Shradha.Bhandarkar@setindia.com; Vijaykumar.Mb@setindia.com, Asha.Naik@setindia.com, Sunil.Kenia@setindia.com, ashley@srilankacricket.us. In the email an invoice was attached with instructions to remit US$ 187,084.75 to beneficiaryâs account (002180700779057641) in Banamex bank, Mexico. We noted in the trace report that the email had been sent from the HOFâs email account from IP address 41.190.2.83 (which we refer to as a fake IP address).â
The EY auditors state that this âfakeâ invoice also appears to have been modified using the âgenuineâ invoice, using âzamzarââa website which enables alteration of pdf documentsâon 3 September 2018 and dated 3 September 2018. However, the date of the genuine invoice was dated 17 July 2018.
According to the report, instructions to remit US$ 5,564,404.50 to Hang Seng Bank, Hong Kong, were sent from HoFâs email account using a fake IP address. This fake invoice was created by modifying the âgenuineâ invoice, using âzamzarâ. The fake invoice was dated 5 September 2018 while the genuine invoice was dated 4 September 2018.
A business email compromise is an exploit in which âthe attacker gains access to a corporate email account and spoofs the ownerâs identity to defraud the company or its employees, customers or partners of money. In some cases, an attacker simply creates an account with an email address that is similar to one on the corporate networkâ.
Mr Dissanayake consistently maintained that his email was hacked. The SLCâs IT division dismissed his claim saying it had strong controls (Office 365 login).
Last year, the Sunday Times dug into the Hong Kong business registry to gather more information about Fanya Silu Co Ltd. According to the Chinese language records (translated with assistance from investigative journalists in Hong Kong), the company was formed on September 27, 2017, by a 38-year-old Chinese national called Zhang Xiaoming. He was the only founder member and director and is from a small county in the Gansu Province. The name Zhang Xiaoming is widespread in China.
In September last year, Mr Zhang resigned and the company appointed Tamara Sanchez Baurdet as the new director. She holds a Spanish passport and the address she has provided the business registry is Avenida del Garraf, 12, 1A Vilafranca del Penedes, Barcelona. But it was she who handed over the information to the company registry in Hong Kong and the document lists her address there as Flat 2814 Block 8, Ming Kum Road, Tuen Mun, NT, which is public rental housing.
A further search of the business directory showed that Sanchez Baurdet is a director of no fewer than 300 companies registered in Hong Kong (and at least one in Poland. This is called Wing Lok Trading. Wing Lok is also a street in Hong Kong). All of them were formed in recent years and around the same period. Investigative journalists in Hong Kong said she could be a proxy or merely an avenue to register companies, earning an income from sitting as a director.
Interestingly, Mr Zhang resigned from Fanya Silu Co one day before the payment authorisation letter was allegedly sent by Mr Dissanayake to Sony Pictures (it was dated September 4, 2018). This could have been to avoid liability in case the wire transfer came through. But while the business registry document says he resigned, it does not mean he is not still the beneficial owner.
The letter sent to Sony with instructions to transfer US$ 5,564,404.50 to the account of Fanya Silu Co in Hangseng Bank Hong Kong contains multiple grammatical and syntax errors. Meanwhile, several emails purportedly sent from Mr Dissanayakeâs email address (hofinance@srilankacricket.lk) are copied to similarly named email addresses belonging to the SLCâs Chief Operating Officer Jerome Jayaratne and CEO Ashley de Silva. But instead of coo@srilankacricket.lk or ashley@srilankacricket.lk, the addresses are coo@srilankacricket.us and ashley@srilankacricket.us.
The âsrilankacricket.usâ domain is registered to a user named Sunil Shahzad whose address is Office #26, Arfa Tower, Gulberg III in Lahore, Punjab, Pakistan. It was created in August this year.
The SLC case involves shell companies, at least two bank accounts and hard-to-trace individuals in several jurisdictions. It is also likely that other email accounts at SLC have been compromised. But the sporting body maintains that Mr Dissanayake is directly involved. This is because the emails pertaining to the transactionsâincluding the questionable onesâwere sent from his hofinace@srilankacricket.lk account and not a srilankacricket.us account, they claim. It was not possible to independently verify this.
The SLC acknowledged at the time that some emails originated from another IP address. But it claimed the CFO could have done it to âpretend to be hackedâ by the use of a proxy site. The SLC also says a hacker cannot stage a âmiddleman attackâ on a particular email address for months without it being noticed. It was not possible to independently verify the time period being referred to.
A couple from Thailand who arrived onboard a SriLankan Airlines flight today marked the two…
There will be a definite salary increase for government sector employees, including teachers, by next…
National consumer prices continued their descent for the third month in a row in November…
Making a fresh approach towards the stagnating tax issue of staggering Rs.5.8 billion defaulted by…
The National Water Supply and Drainage Board (NWS&DB) announced that the water supply to several…
The Ministry of Tourism says today (26) it is prepared to welcome the two millionth…