"Joseph Kris" <[email protected]>

This IP address already appears here and on several other sites in all kinds of scam attempts. The difference here is that they sent an attached exe file disguised as a purchase order which was flagged as trojan/backdoor by my security software.

Header Analysis Quick Report
Originating IP: 41.203.69.2
Originating ISP: Globacom Ltd
City: n/a
Country of Origin: Nigeria
* For a complete report on this email header goto ipTRACKERonline

Hello,

I
am resending our purchase order. Please issue us your PI immediately,
specification and quantity needed are listed. Thanks and waiting your
reply. We plan on making payment asap because we want goods shipped out
soonest.

Your early reply is highly appreciated. Thank You!

******************************

Best regards,
Mr,Joseph Kris

Haz'bashi Co. Ltd.
3707 Queens crescent,
Queens, NY 11101. USA

Return-path: <[email protected]>
Delivery-date: Mon, 12 May 2014 01:08:10 +0200
Received: from [98.138.87.1] (helo=omp1001.mail.ne1.yahoo.com)
by massenet09.register.it with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1Wjcqm-0006yl-HU
for XXXX
Received: (qmail 538 invoked by uid 1000); 11 May 2014 23:08:06 -0000
Received: (qmail 97518 invoked by uid 60001); 11 May 2014 23:08:05 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1399849685; bh=sg6NuadyDOdlVxMxqFtjRsOVSbjyUBUsftelBOb8HO4=; h=References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=Csq47+SS0/oyHpzWVD42XTHW8+wmffJH4uywZqO601jkCu6R/Sb7N9+SftwHsNl44FF1IJHlprOzrwVe4gKnSb/ISy1iftvrE74lrlgC/GB2WbLhyxaLxldGCd52Do1Bzt8pAQFSGlzHWbZpWbv8e9YFcsZ98E6J/0UhZWe4cAA=
X-YMail-OSG: 6H6k7AMVM1mTkvPURIfJix8v.EMlfRWgSMr8jvRxDo5LDuk
9H4ooXcCueHtfmJMYKuZIY12xwUQRhY8fdC51KFqoU7R2NjPG5_76oSMHmn_
v23kMVYertSKJI9nxCqWgDyAVmDS9nOhMspzVoTW3nApiMrz2iOdB0pRhLmC
KS15A_0oeHAV09gXlnYfxiVGvA9XZeSFZiJ_nqPd1Oj3msWiOsCdYxXjXLLL
k.naNKn5FKX4ilUsro9ha2mlqO1Z2FpRYW7lbm.y8P2wCRiFiM4krAQUS.wK
4eIuz3TSsl3YXYm2lLwyXYqHdYfDh.l.h4k7HH8xrUYAymnxV8UP3u4QVC0J
MyedVmOlKotv_PMbMFbzta67wnE0qkjXPqd6FvfRy2bitDMkL.ZuTxKpX9jG
6_jxsp5mvf2ZK4M13KZwQsA2et4v0J5ginp0CkUr8IZn3279E7rEZznnEntA
LhVuOE8TaacA0eV.3ZtKrJ4pKs5Bb3uIHY.Sq1cn1vtDwhRc9jkL6Dw952PW
dRChubsm0p0N4QirK
Received: from [41.203.69.2] by web126106.mail.ne1.yahoo.com via HTTP; Sun, 11 May 2014 16:08:05 PDT
X-Rocket-MIMEInfo: 002.001,CgpIZWxsbywKCkkKIGFtIHJlc2VuZGluZyBvdXIgcHVyY2hhc2Ugb3JkZXIuIFBsZWFzZSBpc3N1ZSB1cyB5b3VyIFBJIGltbWVkaWF0ZWx5LCAKc3BlY2lmaWNhdGlvbiBhbmQgcXVhbnRpdHkgbmVlZGVkIGFyZSBsaXN0ZWQuIFRoYW5rcyBhbmQgd2FpdGluZyB5b3VyIApyZXBseS4gV2UgcGxhbiBvbiBtYWtpbmcgcGF5bWVudCBhc2FwIGJlY2F1c2Ugd2Ugd2FudCBnb29kcyBzaGlwcGVkIG91dCAKc29vbmVzdC4KCllvdXIgZWFybHkgcmVwbHkgaXMgaGlnaGx5IGFwcHJlY2lhdGVkLiBUaGFuayBZb3UhCgoBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.188.663
References: <[email protected]> <[email protected]> <[email protected]>
Message-ID: <[email protected]>
Date: Sun, 11 May 2014 16:08:04 -0700 (PDT)
From: Joseph Kris <[email protected]>
Reply-To: Joseph Kris <[email protected]>
Subject: Purchase order - Please issue us PI asap
To: undisclosed recipients: ;
In-Reply-To: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1181703601-1037120079-1399849685=:92751"
DomainKey-Status: Testing no signature (DK_STAT_NOSIG: No signature available in message)

I am now receiving "clones" of this message by the dozens - all coming from legitimate businesses. I assume they clicked on the attached trojan of the original message and thus "shared" their login credentials with the scammer.
I guess this is how they phish/hack accounts to send their scam mails from an email address that appears legitimate, instead of sending them from a more suspicious free email service.