The US Department of Justice (DoJ) has charged a woman in Rhode Island in a phishing campaign against candidates for political office, & related associates, that impersonated various individuals–including campaign workers & the Microsoft security team—in an attempt to trick victims into providing account credentials.
Diana Lebeau allegedly tried to trick candidates for public office & related individuals into giving up account credentials by impersonating trusted associates & the Microsoft security team.
The US Attorney’s Office for the District of Massachusetts has charged Diana Lebeau, 21, of Cranston, R.I., with “attempted unauthorised access to a protected computer,” says a press release from the DoJ.
The charge relates to a phishing campaign Lebeau allegedly mounted beginning in Jan. 2020 against about 22 campaign staffers for an unnamed candidate for political office, as well as another political candidate—also not identified & related associates, according to the DoJ. Assistant US Attorney Seth Kosto is prosecuting the case.
The campaign came in 2 phases with various targets, with Lebeau allegedly using a typical phishing tactic of taking the identity of trusted associates of the victims to try to trick them into complying with the messages’ request for credentials, authorities explained. She even impersonated 1 of the candidates in an attempt to steal credentials, they observed.
The 1st phase of the campaign sent 2 sets of phishing emails. 1 claimed to be from either the campaign’s managers or one of the campaign’s co-chairs & asked recipients to put their account credentials into an attached spreadsheet, or to click a link that connected them to a Google Form that also solicited credentials, according to the DoJ.
Lebeau also allegedly targeted the candidate’s spouse & other co-workers with messages that appeared to be either from Microsoft’s “Security Team” or from an employee of the workplace’s IT help desk.
“The emails… requested that recipients provide account credentials or other information about their computers by adding it to attached spreadsheets or on a website that mimicked the appearance of the employer’s legitimate website,” according to the DoJ.
False Login Link
The 2nd phase of the campaign came 2 months later in March, when Lebeau allegedly sent phishing emails targeting another candidate for political office that claimed to be from the candidate’s cable & internet provider. These emails contained a false login link ostensibly for the purpose of addressing an issue with the candidate’s account that required the recipient to provide login credentials.
“Lebeau also impersonated this candidate in online chats with the cable & internet provider, in an attempt to reset & obtain the candidate’s account password,” according to the DoJ.
Lebeau faces a sentence of up to 1 year in prison, 1 year of supervised release, a fine of up to $100k and forfeiture for the charge, which considers that “Lebeau did not act with financial or political motive or to benefit any foreign government, instrumentality, or agent,” according to the DoJ.
However, 1 security expert criticised the leniency of the charge & its possible sentence, suggesting that the action should be taken just as seriously as if a foreign entity had been the attacker.
“This is an unexpected phishing campaign outcome in that the charging document does not indicate Lebeau acted with financial or political motives to ‘foreign government, instrumentality, or agent,’” Saryu Nayyar, CEO of security & risk analytics firm Gurucul stated.
“Is that the only motive subjects we care about? This appears to be a politically motivated attack albeit domestic.”
Nayyar suggested that given the “toxicity” & drastic polarisation of the current political climate in the US, “extreme views” call for “extreme action,” & that Lebeau’s motives should not be taken so lightly.
“So, what was this woman’s attack motive?” she asked. “Inquiring minds want to know.”