Investigating iOS Phishing Using Virtualization Technology

Anthony Ricco
Chief Marketing Officer   Corellium

Virtualization became a powerful tool in agile development due to its versatility and capability to deliver solutions quickly. It is no surprise then that security engineers are also turning to this technology, like Corellium, in order to investigate phishing attacks against iOS devices. As phishing attacks become more and more sophisticated – and it’s only getting worse with generative AI – organizations should expect more large-scale data breaches and supply chain attacks resulting from phishing attacks on employees.

According to Identity Theft Resource Center, supply chain attacks compromised more data last year than malware – and many of those attacks start with a phishing email or text. In 2022, both Toyota and Okta experienced serious high-profile security incidents that began with phishing. As a result of the rise in phishing-based attacks, more and more security engineers are digging into the origins and makeup of the content sent to employees, including iOS devices.

Sandboxing Potential Threats

Virtualization allows for the rapid deployment of an isolated virtual environment, which helps control the impact of suspicious activity from malicious software or actors. Since phishing

attacks often rely on social engineering techniques to deceive users into clicking malicious links or downloading malicious attachments, virtualization can be used to inspect the received emails in a safe environment. In order to investigate phishing attacks on iOS devices, security engineers can use virtualization technology to create an isolated instance of a device with only the necessary applications for their investigation.

This enables them to examine suspicious activity without exposing sensitive data or compromising its integrity. With this setup, they can then analyze email messages, attachments, and text for signs of malicious software or other threats. Some specific things to look for include payloads in attachments, the true source of the sender or campaign in the email header, source IP address, and executables.

Analyzing Attacks

Virtual machines also allow for easy testing since they can be used as sandboxes for analysis without compromising any other data on the host system or network. By accessing the same resources as a real user, security engineers and threat hunting teams are able to evaluate the safety of received content and detect any threats that may be present. For example, with a virtual device you can explore the consequences of specific user behaviors, such as clicking on a link or opening an email, to determine where additional risks may lie. If you’re using a virtual iOS device from Corellium, you also have built-in network monitoring tools that let you analyze encrypted C2 and app traffic instantly.

Additionally, virtualization is useful for examining the data that may have been taken during a phishing attack. By creating a replica of the user’s device, security engineers can analyze stolen information to evaluate sensitivity and severity of the data, as well as subsequent new risks caused by the attack, such as identity theft or password stuffing.

Creating Reverse Tunnels

Security engineers also use virtual iOS devices to visualize the attacker’s perspective as closely as possible. In some cases, this may require root access for any device configuration — including the latest versions of iOS — even when no public jailbreak is available. A remote virtual iOS device can also provide investigators with access to the internet through their local IP address, as attackers might only serve malicious pages when the incoming IP matches their expected target. Setting up a reverse tunnel can help you achieve this and gain valuable insights into the attacker’s tactics.

A reverse tunnel is a technique used to forward a remote machine’s port to your local machine, effectively allowing the remote machine to access resources on your local network. This can be especially useful when dealing with remote virtual devices or systems that are behind firewalls or have limited connectivity options. With a virtual iOS device, investigators can easily change the device’s physical location (GPS) to examine location-based threats and use a local proxy with VPN connectivity to gain network connectivity anywhere in the world.

After the attack has been analyzed, with virtualization, there’s no need to restore the phone or flash to a different version of the operating system; simply reset the virtual device to its last good snapshot and within seconds, you’re ready to begin the next round of testing.

Overall, virtualization technology is an invaluable tool when it comes to investigating phishing attacks on iOS devices. It enables security engineers to safely replicate users’ devices and analyze suspicious activity without putting additional assets or private information at risk. By taking advantage of virtualization technology, security engineers can actively engage with smishing and phishing scams directly from a virtual iOS device.


Anthony Ricco

Tags: , ,