DoJ Charges Rhode Island Woman in Phishing Scheme Against Politicians

Diana Lebeau allegedly tried to trick candidates for public office and related individuals into giving up account credentials by impersonating trusted associates and the Microsoft security team.

The Department of Justice (DoJ) has charged a woman in Rhode Island in a phishing campaign against candidates for political office and related associates that impersonated various individuals–including campaign workers and the Microsoft security team—in an attempt to trick victims into providing account credentials.

The U.S. Attorney’s Office for the District of Massachusetts has charged Diana Lebeau, 21, of Cranston, R.I.,  with “attempted unauthorized access to a protected computer,” according to a press release from the DoJ.

The charge relates to a phishing campaign Lebeau allegedly mounted beginning in January 2020 against about 22 campaign staffers for an unnamed candidate for political office, as well as another political candidate—also not identified–and related associates, according to the DoJ. Assistant U.S. Attorney Seth Kosto is prosecuting the case.
The campaign came in two phases with various targets, with Lebeau allegedly using a typical phishing tactic of taking the identity of trusted associates of the victims to try to trick them into complying with the messages’ request for credentials, authorities said. She even impersonated one of the candidates in an attempt to steal credentials, they said.

Two-Phase Campaign

The first phase of the campaign sent two sets of phishing emails. One claimed to be from either the campaign’s managers or one of the campaign’s co-chairs and asked recipients to put their account credentials into an attached spreadsheet, or to click a link that connected them to a Google Form that also solicited credentials, according to the DoJ.

Lebeau also allegedly targeted the candidate’s spouse and other co-workers with messages that appeared to be either from Microsoft’s “Security Team” or from an employee of the workplace’s IT help desk.

“The emails… requested that recipients provide account credentials or other information about their computers by adding it to attached spreadsheets or on a website that mimicked the appearance of the employer’s legitimate website,” according to the DoJ.

The second phase of the campaign came two months later in March, when Lebeau allegedly sent phishing emails targeting another candidate for political office that claimed to be from the candidate’s cable and internet provider. These emails contained a false login link ostensibly for the purpose of addressing an issue with the candidate’s account that required the recipient to provide login credentials.

“Lebeau also impersonated this candidate in online chats with the cable and internet provider, in an attempt to reset and obtain the candidate’s account password,” according to the DoJ.

Too Lenient?

Lebeau faces a sentence of up to one year in prison, one year of supervised release, a fine of up to $100,000 and forfeiture for the charge, which takes into account that “Lebeau did not act with financial or political motive or to benefit any foreign government, instrumentality, or agent,” according to the DoJ.

However, one security expert criticized the leniency of the charge and its possible sentence, suggesting that the action should be taken just as seriously as if a foreign entity had been the attacker.

“This is an unexpected phishing campaign outcome in that the charging document does not indicate Lebeau acted with financial or political motives to ‘foreign government, instrumentality, or agent,'” Saryu Nayyar, CEO of security and risk analytics firm Gurucul said in an email to Threatpost. “Is that the only motive subjects we care about? This appears to be a politically motivated attack albeit domestic.”

Nayyar suggested that given the “toxicity” and drastic polarization of the current political climate in the United States, “extreme views” call for “extreme action,” and that Lebeau’s motives should not be taken so lightly.

“So what was this woman’s attack motive?” she asked. “Inquiring minds want to know.”

Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.

Suggested articles