140Char

Twitter has been hit by the first major effort to ‘phish‘ account details and spam users with links to a fake login page by Direct Messages from comprimised accounts.

The Twitter team has responded with a warning on the main web access page, and a warning on the Twitter blog. You can see the uproar it’s causing on Twitter via Twitter Search.

Currently the DMs are enticing people with:

• Here’s a funny blog about you
• Your picture is on this blog
• You’ve won a free iphone

Luckily the phishers are at least sticking to the grand tradition of email spamming by either trying to entice you with a blatantly ‘too good to be true’ offer, or something personal with the link to a fake Twitter log-in page displayed in full, so hopefully the word has spread to most people.

However, this is likely to be just the start. As Pete Cashmore pointed out at Mashable, this is a sign Twitter has reached a big enough size to be a viable target for scams - a positive sign for Twitter’s growth perhaps, but also a sign that the scammers and spammers are coming, with pretty big implications for Twitter users.

Shortened urls:

For starters, we were all lucky in some ways that the bloggers obviously aren’t familiar with Twitter culture, and were displaying the full url of the fake website, meaning that even if the DM came from someone we absolutely trusted, we had a warning before clicking.

But given that the character limit of Twitter means that shortened urls are the norm, it will make it almost impossible to detect whether a link is likely to be fake before at least visiting it - meaning an urgent need for preview functionality of shortened urls at the bare minimum.

Warning systems:

A lot of Twitter users picked up on the scam emails via friends, and stayed up to date with information via the #phishing hash tag etc - Twitter responded promptly with a warning on the website and blog. But what about the many, many people using a client to access Twitter and their Direct Messages? And those using mobiles to access the service?

Will everyone get a warning via each client and application? Unlikely at the moment, unless there is a type of ‘emergency signal’ which could be broadcast across all clients and apps.

Verified App Store:

Which brings me to the next possible implication - a few people have suggested that the fake log in page is in fact working as a Twitter application to utilise the stolen accounts and passwords.

It’s long been a matter of contention for users and app developers that any 3rd party application which requires a certain level of functionality has to ask for usernames and passwords - but now the 3rd party developers could be hit by a huge loss of trust from users.

So could this be an opportunity for a verified and approved Twitter application resource? Possibly monetised by charging a fee for consumers (unlikely), or for developers to have their application tested and approved (more likely)?

This could have implications for the speed and amount of Twitter applications and clients being produced, and also move such development away from bedroom coders depending on the fees for such services.

It certainly means that there could be a move for more users to utilise more than one Twitter account to allow them to test applications and clients etc without comprimising their main account.

So what other implications do you think the arrival of large scale phishing attacks could have on Twitter - and what suggestions do you have for other Tweeple - and Twitter itself, to try to minimise the damage of future attacks?

It’s a popular question today, after both Techcrunch and Mashable covered the launch of The New Platforms Fund, which will invest between $1000-$3000 in 10 ideas (plus human support), in exchange for a minor equity stake.

Techcrunch was pretty disparaging about the idea (headline: If you are really, really desperate for cash, these guys will give you $3k) Mashable’s take was a bit more open about the diea.

If you want to apply, the form is here.

But what is quite interesting is the debate in the TC comments around how much this could actually fund - obviously it’s not enough to pay for a team of developers for a year, but could it help 1 or 2-person start-ups just out of college to spend a month or two on one idea?

Or, given the current state of the economy and job market, could it be enough to make the mortgage payment for a month whilst you try something different? Or to get the services of a developer or designer for a week or two to make a simple concept into reality?

After all, Stocktwits got more funding after just two months.

But do you think $1-3k is enough to get something started? And is it worth giving up some equity in order to reach another round of funding?

If you are a micro-blogger developer, then you already know PlaceShout. I want to develop a PlaceShout application for the UK.  I imagine the development can be done online, so you don’t have to be based here.

Any takers?  If so, can you tweet me @jotoo?