140Char

Stolen Twitter accounts appear to be commanding a premium amongst hackers sharing details on forums.

Data stealing software is a risk to your details for any site, but according to Kaspersky researcher Dmitry Bestuzhev, he’s seen  a Twitter account with just 320 followers offered for as much as $1000. In this case, the three-letter username may have influenced the price.

That compares with Gmail accounts for $82, Rapidshare accounts for $5 per month, and other sites including Skype and Facebook. Bestuzhev also went on to say Kaspersky had detected 70,000 data stealing programmes in 2009, which is twice as many as in 2008.

Twitter is likely to be a preferred route to spread malware as links can spread in near real-time to hundreds or thousands of followers – each of whom can quickly and easily repeat a malware message to their own network.

Malware messages are also hidden by shortened urls, and with the amount of links spread via Twitter, there’s a good chance people are less suspicious than seeing the same links in an email or IM message.

It’s a reminder to make sure you use a unique password which is a mix of alphanumeric characters, and to change it regularly. Be careful of sharing it with third party sites and tools which aren’t using Twitter’s OAuth protocol, and be careful with links being posted by others – even including people you trust.

(Via Computerworld)

Twitter has been hit by the first major effort to ‘phish‘ account details and spam users with links to a fake login page by Direct Messages from comprimised accounts.

The Twitter team has responded with a warning on the main web access page, and a warning on the Twitter blog. You can see the uproar it’s causing on Twitter via Twitter Search.

Currently the DMs are enticing people with:

• Here’s a funny blog about you
• Your picture is on this blog
• You’ve won a free iphone

Luckily the phishers are at least sticking to the grand tradition of email spamming by either trying to entice you with a blatantly ‘too good to be true’ offer, or something personal with the link to a fake Twitter log-in page displayed in full, so hopefully the word has spread to most people.

However, this is likely to be just the start. As Pete Cashmore pointed out at Mashable, this is a sign Twitter has reached a big enough size to be a viable target for scams – a positive sign for Twitter’s growth perhaps, but also a sign that the scammers and spammers are coming, with pretty big implications for Twitter users.

Shortened urls:

For starters, we were all lucky in some ways that the bloggers obviously aren’t familiar with Twitter culture, and were displaying the full url of the fake website, meaning that even if the DM came from someone we absolutely trusted, we had a warning before clicking.

But given that the character limit of Twitter means that shortened urls are the norm, it will make it almost impossible to detect whether a link is likely to be fake before at least visiting it – meaning an urgent need for preview functionality of shortened urls at the bare minimum.

Warning systems:

A lot of Twitter users picked up on the scam emails via friends, and stayed up to date with information via the #phishing hash tag etc – Twitter responded promptly with a warning on the website and blog. But what about the many, many people using a client to access Twitter and their Direct Messages? And those using mobiles to access the service?

Will everyone get a warning via each client and application? Unlikely at the moment, unless there is a type of ‘emergency signal’ which could be broadcast across all clients and apps.

Verified App Store:

Which brings me to the next possible implication – a few people have suggested that the fake log in page is in fact working as a Twitter application to utilise the stolen accounts and passwords.

It’s long been a matter of contention for users and app developers that any 3rd party application which requires a certain level of functionality has to ask for usernames and passwords – but now the 3rd party developers could be hit by a huge loss of trust from users.

So could this be an opportunity for a verified and approved Twitter application resource? Possibly monetised by charging a fee for consumers (unlikely), or for developers to have their application tested and approved (more likely)?

This could have implications for the speed and amount of Twitter applications and clients being produced, and also move such development away from bedroom coders depending on the fees for such services.

It certainly means that there could be a move for more users to utilise more than one Twitter account to allow them to test applications and clients etc without comprimising their main account.

So what other implications do you think the arrival of large scale phishing attacks could have on Twitter – and what suggestions do you have for other Tweeple – and Twitter itself, to try to minimise the damage of future attacks?