Cyber Abuse Targets Watts, Wrenner

by Ken Signorello

June 2, 2021

An investigation into EssexDefender.com’s origin uncovered 18 domain names associated with Pallas Web Development and used in a campaign targeting Essex residents Andy Watts and Irene Wrenner.

Watts and Wrenner, with close to 20 years of Selectboard experience between them, have worked toward fair Merger plans over time and took issue with the latest Merger proposal. 

Their names have been misappropriated into web domains, while making it appear that Wrenner is responsible for registering some of them. Several domain names are configured to redirect users from intended web destinations to EssexDefender.com.

The EssexDefender website presents pro-Merger political information. However, the website did not disclose its originator(s) nor who is responsible for its content.

This is in contrast to the two political action committees that operated websites during the Merger campaign.  NoMergerNow (anti Merger) and #oneEssex (pro Merger) were both registered with the Secretary of State’s office.

 

A tip from a tech-savvy reader indicated that EssexDefender.com is hosted by Pallas Web Development (PWD), a business operated by Essex resident Athena Letourneau Newhard. Ms. Newhard did not respond to our inquiry.

Through our source we learned that EssexDefender.com was originally registered on 3/7/21. Its nameserver at that time was set to pallaswebdevelopment.com. 

On 3/14/21, the Retorter linked PWD to a sock puppet campaign on Front Porch Forum, Two days later nunyabusiness.xyz was created and subsequently

set to be the new nameserver for EssexDefender.com.

thumbnail.png

A quick primer on how the internet works:

Website names must be translated to the IP (internet protocol) address of the actual computer that hosts the intended website. This is done through the Domain Name System (DNS). IP addresses are tied to specific website servers, which are owned or rented by website hosting companies. 

 

Determining the IP address for a domain name, simplified, is like looking up a phone number in a phone book (remember those?). First you have to figure out which phone book to use, per city or region. Then you look up the name in that phone book to find the phone number to call. 

 

When you type or click on a website link in a browser, the DNS (simplified) determines which “phone book” to use. The correct phone book is the nameserver set for the specified domain at its registrar, e.g., godaddy. The nameserver then provides the actual IP address for the requested website.

 

Each nameserver may list many domains, and a single IP Address (actual server) may host many domains and web sites.

From our previous reporting, the last registered agent for PWD was Athena Newhard, whose LinkedIn profile shows it as her current business. 

Three techniques were employed against two Essex residents and their businesses:

1. Typo Squatting - A number of website addresses were set up in such a way that someone seeking the EssexRetorter.com, or IreneWrenner.com, but using the wrong suffix ― .org instead of .com ― is redirected to the contradictory content of EssexDefender.com.

list2.png

2. Domain Name Squatting - Without Watts’ permission, someone at PWD registered two domains bearing his name: andywattsvt.com and wattsforvt.com.

 

Both use a PWD nameserver. Thus PWD agents can create a website and post content without the approval of Watts, the current Selectboard Chair.

Likewise, IreneWrenner.org and IreneWrenner.net, along with other variations, were created without Wrenner’s approval. Her Essex Retorter, NoMergerNow, and Fairness1st names are also objects of this cyber campaign.

If either Andy Watts or Irene Wrenner want to use any of these domain names for a future campaign, these addresses bearing their own names would be unavailable to them.

This is the discovered list of domains, all of which resolve either directly to IP address 162.255.161.125 or have a nameserver that does:

list4.png

3. Nameserver Chicanery - This might be the most deceptive technique.  Anyone checking the domain name registry for AndyWattsvt.com would see its nameserver set to IreneWrenner.org, falsely associating Wrenner with that registration and 15 other domains. The above 16 domain names were set up this way.

 

PWD now uses three different domains as nameservers depending on the purpose.  All three domains used as nameservers were created on or after 3/18/21:

list3.png

Two other domains used in the FPF campaign were oneessex.today and citybluffcondos.com. When traced, these four domains  pallaswebdevelopment.com, nunyabusiness.xyz, oneessex.today and citybluffcondos.com ― translate to a single IP address: 162.255.161.125.

A reverse lookup on the Domain Name System will yield all the domains hosted at a single IP address.

Looking up 162.255.161.125 uncovered a list of domain names, all of which, in some way, are associated with PWD. Many are obvious PWD customers, as the related web sites say “Website Design and Development by Pallas Web Development''. PallasWebDevelopment.com is also hosted at that IP address, along with athenanewhard.net and adamnewhard.com.

All of the domain names discovered are registered with NameSilo.com. They are set to shield the name of the registrant, a common service offered by many registrars.

 

Because all of these domains resolve to the same IP address 162.255.161.125 and all of the domains related to that IP address are either customers of PWD or part of one of the three campaigns uncovered, PWD is at least complicit in the effort. 

 

We cannot say for sure who created the content on EssexDefender.com or who registered all these domains, only that each resolves to a single IP address used exclusively by PWD. 

Irene Wrenner is the publisher of the Essex Retorter.

list5.png