A woman from Rhode Island has been charged with impersonating Microsoft to steal personal information from political candidates and their campaign staff.
Cranston resident Diana Lebeau allegedly sent phishing emails to approximately 22 members of the campaign staff of a candidate for political office in or around January 2022.
In the emails, the 21-year-old allegedly posed as either the campaign’s managers or one of the campaign’s co-chairs. Recipients were directed to enter their account login details into an attached spreadsheet, or to click on a link that took them to a Google Form that requested the same credentials.
Lebeau is further accused of sending several phishing emails to the political candidate’s spouse and to colleagues at the spouse’s workplace. In these emails, Lebeau allegedly impersonated Microsoft’s Security Team or an employee of the workplace’s technology helpdesk.
Recipients were asked to add their account credentials to spreadsheets attached to the emails or were asked to enter sensitive data on a website spoofing that of the spouse’s employer.
In March 2020, Lebeau allegedly launched another phishing campaign targeting a different candidate for political office. Lebeau is accused of impersonating the candidate’s cable and internet provider over email to steal the candidate’s account credentials.
She is further accused of impersonating this candidate in online chats with the same cable and internet provider, as a ruse to reset and obtain the candidate’s account password.
According to the charging document, Lebeau's alleged actions were not motivated by financial or political aims and were not carried out to benefit any foreign government, instrumentality, or agent.
Lebeau has been charged with attempted unauthorized access to a protected computer. If convicted, she could be sentenced to up to one year in prison, be placed under supervised release for up to 12 months and be fined up to $100,000.
"The best first-line defense against an attack like this is training," commented Lookout's Hank Schless.
"Be sure to constantly run security training and include mobile in those sessions. Simple steps like always checking the sender’s reply-to address or asking IT before replying to a message could save your organization from being the victim of the next big data breach.
Cranston resident Diana Lebeau allegedly sent phishing emails to approximately 22 members of the campaign staff of a candidate for political office in or around January 2022.
In the emails, the 21-year-old allegedly posed as either the campaign’s managers or one of the campaign’s co-chairs. Recipients were directed to enter their account login details into an attached spreadsheet, or to click on a link that took them to a Google Form that requested the same credentials.
Lebeau is further accused of sending several phishing emails to the political candidate’s spouse and to colleagues at the spouse’s workplace. In these emails, Lebeau allegedly impersonated Microsoft’s Security Team or an employee of the workplace’s technology helpdesk.
Recipients were asked to add their account credentials to spreadsheets attached to the emails or were asked to enter sensitive data on a website spoofing that of the spouse’s employer.
In March 2020, Lebeau allegedly launched another phishing campaign targeting a different candidate for political office. Lebeau is accused of impersonating the candidate’s cable and internet provider over email to steal the candidate’s account credentials.
She is further accused of impersonating this candidate in online chats with the same cable and internet provider, as a ruse to reset and obtain the candidate’s account password.
According to the charging document, Lebeau's alleged actions were not motivated by financial or political aims and were not carried out to benefit any foreign government, instrumentality, or agent.
Lebeau has been charged with attempted unauthorized access to a protected computer. If convicted, she could be sentenced to up to one year in prison, be placed under supervised release for up to 12 months and be fined up to $100,000.
"The best first-line defense against an attack like this is training," commented Lookout's Hank Schless.
"Be sure to constantly run security training and include mobile in those sessions. Simple steps like always checking the sender’s reply-to address or asking IT before replying to a message could save your organization from being the victim of the next big data breach.