[fulafel]

I'm not sure if you're serious, but in this case the user obviously was not intending to install a "legitimate application with similar functionality".

The user wanted to install a WhatsApp, Pokemon, etc type of application but was phished or otherwise deceived into completing the app installation interaction, and was left with no knowledge about the backdoor.

[dahart]

Right, you are correct, the user didn't want it. But the user's intent is not the line that distinguishes between phishing and a back door. Yes I'm serious. Phishing is a way to get people to do things they don't intend to do. Phishing involves a user interaction that is masquerading as legitimate, but is in fact malicious against the user's intent. Both phishing and back door attacks are always attempting to do something unwanted, and always intending to do it without the user knowing what's really happening. But the language "without the user's knowledge" referring to back doors means without any user interaction.

I'm sure there are gray areas and situations where it's hard to distinguish, but a backdoor is most commonly defined as not involving any user interaction. A phishing attack involves user interaction. The phishing attack can be used to install a backdoor for future attacks, but that's not what happened here. This phishing attack asked the user for permission to do the things it wants to do. That's the front door.

It's a guy pretending to be the mailman ringing the doorbell and asking if he can come in, then stealing stuff while he's there. The backdoor is a thief in a mask sneaking in a slightly open window at night when nobody's home. The difference is the fake mailman asked for permission. Even though he was fake. It wasn't my intent to let a thief in the house, it was my intent to let the mailman in, but I still got robbed.

Make sense now?

This distinction is important because there are things you can do to avoid phishing, as there are in this case, but there is nothing you can do to avoid a real back door, because it happens without any signaling at all, it happens without your knowledge. So back to @debatem1's point, this should have been called a sophisticated phishing attack, rather than being called, inaccurately, a back door attack.

[fulafel]

Backdoor is a type of persistent malware. Phishing is a way to infect a device with malware, be it a backdoor or ransomware or whatever.

There is always some infection vector associated with a backdoor.

[dahart]

Yes, right, that's correct. The infection vector itself is precisely what is known as the "back door". That's the point. Back doors are the vector, whereas with phishing the user is the vector.

The definition of a backdoor is an attack that bypasses security and doesn't require user input. The definition of phishing is an attack that requires user input, by tricking the user into using their own credentials to authorize access.

Back doors can be opened intentionally or unintentionally by whoever designed or setup the system, but they allow an attacker to get in without involving any input or action from a legitimate user of the system.

Phishing is a way to infect a device with malware by tricking the user into installing the malware. That's exactly what happened here. GhostCtrl is malware that infects via phishing, because it requires the user to authorize it, and it does not have an attack vector it can use without the user's authorization.

It sounds like we're all straightened out and in agreement?

[fulafel]

No, the infection vector, eg phishing or browser exploit or trojan or whatever, is what enables a back door to be installed. The back door is not an infection vector, it is the payload.

Yes, there is a type of back door that is factory installed as part of the dev process of an otherwise legitimate product. But in the context of malware, the backdoor is a payload that enables malicious remote access. Like the glossary entry I linked explains.

[dahart]

Yes it is possible to install a back door, after you've gained access. I'm fine with calling GhostCtrl a phishing attack that installs a back door. The big question here is which part of the attack elevates access to user or root level?

The miscommunication here between us is that you're looking at what GhostCtrl does after it already gained access. Because the first point of contact, the initial entry point, is using the security systems as they were designed to be used, and tricking the user into granting access to the malicious software, the attack as a whole is a phishing attack. As I understand it, the payload is not by itself elevating access, it is using access the user granted to do bad things, not achieving a higher access level.

The payload of an attack of any sort is not commonly understood to be the "back door", I think you're slightly off the mark there. You're not wrong, but you're going to have trouble talking to other people if you keep insisting on this, because the common understanding of a back door is that it's a way of getting in, by bypassing security. It's normally defined as a way of initiating an attack, not the malicious result of an already complete attack.

The only way to define a back door as you have is to have another attack in front of it. If the back door is the payload, then you have to deliver and execute the payload somehow. In the case of GhostCtrl, that mechanism is phishing.

[fulafel]

If you scroll back, this started with "Why is this being called a backdoor? Is there any indication that that's what it is?". I linked to a glossary entry I think reflects the common usage in malware context.

Any payload is not a back door, payloads can be also ransomware, ddos bots, etc.