Banking Trojan steals money from under your nose

Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log-in credentials but actually steals money from your account while you are logged in and displays a fake balance.

The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.

It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera, and it is different from previously reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including malicious JavaScript or an Adobe PDF, he added.

The specific Trojan Finjan researchers analyzed targeted customers of unnamed German banks, according to the latest Finjan report. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the Trojan software sitting inside infected PCs. Finjan has notified German law enforcement, Ben-Itzhak said.

"It's a next generation bank Trojan," he said. "This is part of a new trend of more sophisticated Trojans designed to evade antifraud systems."

Finjan researchers were able to trace the communications from the code on an infected machine back to the command-and-control server, which was left unsecured, according to Ben-Itzhak. On that server, they saw the LuckySploit administration console and were able to see exactly what types of rules the Trojan was written to follow and statistics on victims.

About 90,000 computers visited the sites housing the malware and 6,400 of them were infected, a 7.5 percent success rate, he said. Of those whose computers installed the Trojan, a few hundred had money stolen from their bank accounts, he said.

During the span of 22 days in mid-August, the criminals behind the Trojan stole the euro equivalent of nearly $438,000.

The Trojan code includes detailed instructions on how the Trojan should calculate the amount to steal from a victim's bank account.

(Credit: Finjan)

Here's how the Trojan works:

Potential victims get their computers infected either by opening an e-mail and clicking on a link to a Web site created to distribute malware or by visiting a site that has been compromised and malware hidden on it.

In this case the malware, a toolkit called LuckySploit, exploits a known security hole in the browser, and installs the Trojan on the computer. When the Trojan notices the computer user visiting the site of a targeted bank it springs into action.

While the computer user goes about his or her business on the site, the Trojan looks at the available balance and figures out how much money to steal. The Trojan is given a minimum and a maximum range that is below the amount that triggers antifraud systems and to leave a certain percentage in the account, Ben-Itzhak said.

After performing the calculation, the Trojan then makes the transaction, communicating with the bank site through the browser without the computer user knowing.

"The Trojan is sending requests to the bank and getting replies that your browser doesn't display," Ben-Itzhak said. "You are looking at your account and you don't see any of it."

A Finjan blog post describes it like this:

URLZone is a Trojan Kit that allows the attacker with the use of the 'URLZone Builder' to create a configuration file. This file contains precise orders to the bot, enabling the attacker to target any bank he wants...The URLZone successfully managed to bypass the German banks' protection using 'One Time Password.' This is a technique used to enable the user to get a new password every time he logs into his account. Its goal is to make the theft of usernames and passwords worthless. In order to be successful, the malware must execute itself on the browser to change the parameters and fool the the user to approve a fraudulent money transaction from his account...So far the malware behavior is similar to many other Trojans. However, URLZone uses the delivered configuration file to manipulate the user.

The Trojan has the money sent to the bank account of a money mule, someone who has an account set up to receive the funds. Money mules are typically people recruited online as "independent contractors" or "financial managers" whose sole purpose is to wire the money placed into their account to someone else, typically out of the country, in exchange for a commission. Because their accounts are used only once or twice, they often do not realize the ruse immediately, Ben-Itzhak said.

Meanwhile, the Trojan hides the theft by erasing it from the report of account activity displayed to the computer user and shows a fake balance--what the amount would be if not for the theft. The victim will not notice something is wrong until a different, uncompromised computer is used to access the account, an ATM is used, or a transaction is denied because of insufficient funds.

The Trojan also keeps a log of the victim's bank account log in credentials, takes screenshots, and snoops on the user's other Web accounts, such as PayPal, Facebook, and Gmail, according to the Finjan report.

This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said.

People should keep their antivirus, operating system, browser and other software up to date to protect against this type of attack, he said.

Updated 5:30 a.m. PDT to specify that the Trojan targets Firefox, Internet Explorer 6, IE7, IE8, and Opera, that is different from previous Trojans, and that it affects Windows only. Also, more technical details were added, as well as links to the report and blog post from Finjan.

[gggg sssss]

Ukraine? That is pretty good English in that javascript

[Pishkado]

Their server being located in the Ukraine does not mean that the perps are necessarily Ukranian. With one exception (in German; "betrag" means "amount") the variable names are in English too. Unlikely for someone who speaks Ukranian, or any other Slavic language, as his/her first language.

[WinNoMo]

And yet another indicator that my decision to abandon Windows was a good one.

[McPlot]

WinNoMo, I know you feel bad for leaving Windows, and feel ripped off for the overpriced hardware you bought. But please stop trying to justify your purchase by going from forum to forum posting "Windows sucks" lines. And with this one, JAVA script can be run on a PC, and a Mac, and Linux, and many cell phone OS's. So how does WinNoMo think that this was just a windows problem?

[benjwah]

@WinNoMo Anyone who thinks that all you have to do to be safe is not use Windows is equivalent to a tourist walking around Prague with a bum-bag.
You think you're protected, and that's why criminals love you.

[jellybeenz]

According to Symantec, this affects Windows only:
"Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000"

[sparrowhyperion]

WiNoMo.. Did you ever think that maybe the reason this attack does not affect Macs is because most people do not use Macs. And that there may be a GOOD REASON why most people don't use Macs. Like maybe they don't want to shell out 3 times as much for Apples overhyped and overpriced hardware. Or, maybe because there is only about 10% as much available software for the Mac as there is for the PC. Or Maybe, just maybe, that they are pretty much just overpriced status symbols for folks who have a bad case of PC envy and are overcompensating for other shortcomings. This is not the only bug out there, and if you think there are no viri or trojans which attack the Mac, then you are eventually going to be in serious trouble. This bug could easily have been modified to affect the Mac since Java is cross platform. They probably just didn't think it was worth it since the target pool would be so small, and no one in it would have any money left in their accounts after paying for a Mac anyways...

[Warhaven]

That's not JavaScript in the picture. Looks like PHP.

[WinNoMo]

Why do you people keep bringing up Mac?

[mathmeister]

I don't think the blue text (the "pretty good English") is from the hackers. It's probably been inserted by the security company (Finjan) to explain what is going on in the code. The variable names seem to be based on a mix of German and English. Also, I work for an international software company and our programmers around the world often use English because they learned to code that way.

Bottom line: I wouldn't read too much into the English. The hackers could be from anywhere. The main clue is the use of some German words in the code (and the fact that they target German banks). This makes it most likely that they are European. (Perhaps from Germany, perhaps from Eastern Europe, who knows.)

[george_liquor]

sparrowhyperion: I'd say the Mac pays for itself in the money you DON'T get stolen from your bank account using it instead of Windows on a PC. And that old 'Mac viruses are coming any day now' chestnut is one I've heard since OS 10.1 & one that still has yet to materialize.

[ballmerisanape]

What browsers are vulnerable? The article does not say.

[timber2005]

Trojan to me implies there is a seperate piece of software in the mix, which is maniupluating data before it displays in any browser. Mix of a trojan and a man in the middle.

[Perry_Clease]

According Symantic it affects Explorer and FireFox

http://www.symantec.com/security_response/writeup.jsp?docid=2007-121718-1009-99

[blackspyder1]

So use chrome i guess?

[styymy]

The article stated that it exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera on Windows systems.

[elinormills]

The article has been updated to indicate the trojan targets Firefox, Internet Explorer 6, IE7, IE8, and Opera on Windows systems.

[threedaysdwn]

Based on the description it requires admin privileges... so, the user would have to OK a UAC prompt on Vista / Win7 for it to do its badness. Further, it should be stopped by Protected Mode IE on Vista or Win7. I don't see any indication that this can affect Vista or Win7 without the user approving a malicious installation. If it attacks a Firefox exploit that's probably the most dangerous attack vector since Firefox isn't sandboxed like IE and Chrome.

[Dalkorian]

@threedaysdwn, don't be distracted by the fact that this one targets winblows. It's a trojan, meaning the first "nasty" thing it did was trick the user into installing it. Once that's done, it's game over. OS X, Ubuntu, Fedora, Suse, BSD, all could fall to a trojan for the simple reason that it's not the computer's job to tell the user what they can and can't install in their own machine.

I have no love for M$ (except my love of hating them), but a trojan is a dangerous thing on any platform.

[omriabas]

The solution to bank fraud is hardware and not software. The bank "Fraud Detection Systems" are set of rules that allow other software programs to just run them over, the total amount of money banks lose worldwide per annum is growing every year and it comes to dozens of bilions of US$.
The problem with software sentinels for both internal and external fraud, that once you know the rules, you can by pass them, whereas with hardware it is much harder to do and with unique hardware solution for each bank, hacking into the system will become much harder - never will it be impossible maybe, but it will bring down the numbers to 5% comparing to today's numbers.

The moment banks will admit the problem and admit they need to change their attitude towards security, then breaking and hacking and commiting fraud will become far more difficult.

[luke_marsh]

One hardware option is to look at alternatives to encryption like ignorant processors which I think are now being looked at in some respects. That is to say all the banking data goes through a Chip that only knows certain XML like strings and is ignorant of all other data. so if you don't know the security information needed then you can't access the information the other side of the processor and you can't put viruses though because those data types simply are ignored.
Another way is to do banking data transmissions in more noisy data piping that way without knowing these noisy path ways you can get trapped easier for attempting Fraud(Kind of like getting caught in a sea current).

[Mergatroid Mania]

The real and immediate solution is to not use the internet for financial transactions. It has never been secure and never will be secure.

This is just one more of a bucketful of reasons to not use computers for banking or purchases over the net.

Anyone who believes it's safe to do so is either ignorant or stupid.

[threedaysdwn]

I think you guys are missing the point. The attack is against the client. The user says they want to transfer $100 from A to B, and the trojan rewrites the (otherwise legitimate) request to be for a different amount and different recipient.


@Mergatroid

So you didn't order your in foil hat online?

Banking over the web is quite safe if you take the rather simple prudent actions needed to protect yourself. It is certainly a great deal safer than using an ATM or using a credit card at a restaurant... and most people consider those things to be an acceptable risk.

[eastmanweb]

If javascript is disabled, can this trojan get on your computer from a website?

[elinormills]

Yes

[mbenedict]

The more complete answer is: "it depends".

Note the attack had a 7.5% infection rate. That means the vast majority of computers which accessed a compromised website (92.5%) were NOT infected, presumably despite having JavaScript turn on. The machines which were not compromised likely had up-to-date patches.

Of those infected, about half were successfully compromised. This particular attack was very specific to German banks. The worry is new attacks will target banks in other countries.

[tektaktyks]

judging by how they steal the money (taking a little bit each time and hoping i'm not going to notice) they are doing exactly the same thing all my utility companies(verizon,at&t,coned etc) have been doing to me for years.nothing new to me.

[opiapr]

My bank does the same they charge me overdraft fee when their is available balance. They will remove it after i call claiming a "glitch" but if I for some reason miss it they will in effect steal from me.

I won't name the bank..... screw them is wachovia.

[Seaspray0]

+1, tektaktyks.

[libertyforall1776]

What poor reporting -- the article says it affects "major browsers" -- how about specifying WHICH are vulnerable? Safari? Firefox? Opera? which?

[Perry_Clease]

Explorer and Firefox

[krisztoforo]

What version of Explorer and Firefox???

[baconstang]

So running Safari on a Mac is OK? Who'd a thunk?

[wahoospa]

It tells you in the 3rd paragraph which browsers are vulnerable. If you cannot see it here it is:
"It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera,"

[lavalight]

Wow, Elinor, it took some skill to write hundreds of words describing this Trojan in detail while conspicuously leaving out the fact that it only hits Windows users. Congratulations!

[bananaphonerules]

With a total of 0-49 infections in 2 sites? i'm scared. Wheres my foil hat?

[McPlot]

Java is everywhere! In your Car, in your Blu-Ray player, on your PC, on your Mac, on a Linux based machine. So how is this ONLY a windows problem? I can see IE, but firefox is also available for Mac and Linux, so how again is this just a Windows problem?

With a hippie name like Lavalight, I can tell you use a Mac. PLEASE don't just post things to justify your purchase of a Mac by saying Windows sucks, over and over and over. I have used both Windows and Mac. I have never had a problem with either. Then again, I protect my computer and surf porn using my Linux boot. ;)

[baconstang]

If on a Mac can this Trojan install without Admin. password?

[nashville2]

@MacPlot: FYI, Java and Javascript are unrelated. From Wiki: "JavaScript, despite the name, is essentially unrelated to the Java programming language even though the two do have superficial similarities." http://en.wikipedia.org/wiki/JavaScript

[cptnjarhead]

Maybe the Elinor assumed that most people reading this article know that writing a trojan for an OS that only has 6% of the global market is not even worth the trouble... but im sure you knew that.
http://www.w3schools.com/browsers/browsers_os.asp

[jsw111]

Java and JavaScript are NOT the same thing. Java is an object-oriented programming language that can be used to build applications as well as web-sites. JavaScript is usually used only for websites. Just because the virus uses javascript to run in your browser does not mean that the virus was entirely written in this language. The code snippet provided looked a lot like PHP. Also, they don't affect Mac's because of the browser and the Linux based OS. I have both a PC and a Mac and probably use my PC more (bc it's newer)....But, I use Chrome....it's secure, for now....

[chudq]

Sorry for some PC victims.

[tech_crazy]

The trojan toolkit name is LuckSploit (as in exploit), not spoilt.

@lavalight,
You could be right about the windows only thing but have not seen any mention of that on other sites. A link would be much appreciated. Being javascript based, it could very well be on others OSes also.

[Perry_Clease]

See this story http://www.symantec.com/security_response/writeup.jsp?docid=2007-121718-1009-99

[mbenedict]

Wrong trojan Perry.

[cnetuserinny]

The best solution is to do online banking using Firefox running under Linux.
See Crimeware gets worse - How to avoid being robbed by your PC
http://blogs.computerworld.com/14806/crimeware_gets_worse_how_to_avoid_being_robbed_by_your_pc

[chudq]

This Trojan was discovered in December 17, 2007 and updated in January 8, 2008. Not sure why it becomes a big news today: in CNET and BBS Tech news. Not sure what's media's intension.

Anyway, this malware seems targeting at Windows based PCs. Based this article, PC users may get infected by email or prompt click. It sounds like that the malware is first as an executable program. When it is activated by clicking, then the Trojan is installed into browser (as javascript based plugin?). For Mac users, it is just impossible to get a piece of binary to run as an installer by email or click. Mac is based on strong UNIX security framework. It is hard to get infected and even harder to spread to other users.

[Seaspray0]

"For Mac users, it is just impossible to get a piece of binary to run..." Oh really?
http://news.cnet.com/8301-1009_3-10199652-83.html?tag=mncol;posts
Safari hole exploited in seconds at security conference

[shycelticwitch]

@Seaspray... ONLY after they disabled some features. First hacking attempts were unsuccessful. One article does not make it fact. Read the "rest of the story".

[Dalkorian]

Nothing is impossible, remember this is a trojan. It's already tricked the user into installing it, the user is likely to expect any password prompts it will generate.

Don't worry, I bet I hate winblows more than you.

[luke_marsh]

It's dodgy game Fraud and with out it many economic benefits wouldn't happen and with it many problems arise.
We can't live with it we can't live without it and it's ran by the brave people who might get caught out.
Why do I say this well if I was printing money and I said I wanted to give money to a few more, many more would be at my door demanding theirs which would collapse potentially the whole Economic system because Supply would not meet demand fast enough. However If I did nothing supply would not meet demand the other way round and that's where fraud comes into play, It's not fair but when policed well It works (by the way $432,000 is a joke).
It's the hole in Marxism He missed the bit about people always wanting more and what that really means not that trying to distribute the economy well is not a good idea and a good part of the economy in itself just that the economy is more dependent on production/supply than capital. for example you could theoretically run a whole economy on other systems than money but nothing no matter what you tried would work without supply.

[bridge solution]

$432k is a joke??
let's say 6 guys worked on learning from past mistakes/ successes in such trojan writings, for 100 hours a week for 7 weeks, and handed out $12k t0 the mules.
that's $10k a week per guy, or $100 an hour per guy .
"tax free."
or maybe their costs were 15% higher in time/$.
$85 an hour after taxes.
if you're doing that well, do yourself a favor and don't say "rent a coder" anywhere near a client.
:"you could theoretically run a whole economy on other systems than money"
since about 600 bC nobody has been able to have such a game run for more than about a generation.
"capital" is just term for stored energy.

[gertruded]

Never use Windows for a critical task if that computer is ever on the internet. Since you must be on the internet to use internet banking services, never use windows to do the job. Windows is just too big a target for criminals.

Use windows only on a computer that is not attached to the internet. It is a good operating system for computers that are isolated.

[cloudmatt]

why when ever there is a virus do all the I-Bots come out in droves. Mac is just as susceptible to virus and hacking and is some case more so. These statements of Mac security is like saying that Switzerland is safest country because they are better, they are safer cause no one cares to attack them. Same with mac, a hacker who wants money isn't going to target 7.51 Percent(recorded mac x and i-Phone os on the internet) they are going to target 86.44 percent(windows users on the internet). they aren't going for easy targets they are going for the broadest category. I'm not anti mac I just can't stand all this windows bashing.

http://www.w3counter.com/globalstats.php (my source for numbers)

[gertruded]

@cloudmatt Your comments, except for the I-Bot part are mostly correct. They are also sufficient reason to avoid Windows. It is simple, if an OS is the target, use another OS. My argument has nothing to do with the value of an OS if they both were targeted. Why would anyone put themselves in harms way when they do not have to.

[cloudmatt]

first touche, I accept that the safest way to use windows is in a bell jar but that's like saying the safest way to drive is to never turn the key. Don't want to get swine flu lock yourself in doors surround your house in a moat of fire and take up sniping position on the roof just to be sure. your suggestion is unrealistic, and while I'm not against people moving to mac if that is their preference. even if everyone in the world reads your post and mac or Linux is the new top dog the hackers spammers etc. will just shift targets. changing os is not the solution and no os is safe. Even a mac user should install a virus scanner and keep up with updates. awareness of the threat is far safer than assuming the threat is not against you.

[Dalkorian]

Some facts to keep in mind here:

- There have been Unix viruses in the past. There hasn't been one in a while and *nix is fairly proof against them, but nothing is "impossible".

- Since OS X is based on a unix derivative (Darwin), it's also quite strong against viruses. Proof - there hasn't been one against it yet. Not. One. Virus. OS X is currently in it's 6th iteration (Snow Leopard, 10.6) and the original version came out nearly a decade ago. It if was so easy to do, it would have been done by now.

- OS 9 had many viruses that affected it and had a fraction of today's OS X market, so the "market share" fertilizer is bunk and won't grow anything but stupidity.

- Most important one of all - THIS IS A TROJAN, NOT A VIRUS. The user got tricked into installing it. Maybe winblows made that easier, but once their foot is in the door the game is over. Any *nix derivative will allow the user to install programs!

[SJ2571]

My bank sends me an SMS whenever a transaction occurs, so I'm totally safe. Nothing goes out without my knowledge. Besides, wouldn't an outgoing firewall stop the trojan sending info out of the PC?

[mathmeister]

The SMS is a good idea. More banks should offer that.

The firewall wouldn't stop it because the requests are coming from the browser. If they were blocked, then all your normal banking would be blocked as well. That's what's ingenious about this Trojan, it operates exactly as if you were issuing the commands, but it doesn't show you the results (unless you get them from a separate source like the SMS messages.)

[born_yesterday]

I have to agree, this sounded like a good solution. Which bank do you use? Do they charge you for this service?

[MeatSpigot]

Unfortunatley wrong. Several banks in South Africa were using this approach and with one guy inside the cell company managed to steal millions.

[DarioCK]

Surely it cannot be that easy... For example all banks here in Spain when making any transaction which involves movement of money require you to enter a code from a plastic card. On the card there are 50 different 4 digit numbers and the system will ask for a random number from the card. There is no other way to do so, I wonder if these people are targeting specific banks who don't have a coded security function and just use standard passwords or would this trojan bypass this function?

[ikramerica--2008]

It seems as if it targets German customers, so maybe their banking system is easy to exploit? From the way it works, can't see this happening in the USA, as simply transferring money from your account to a third party account is NOT easy. It takes jumping through hoops, verification by a real person (first time to that account), etc. Bill pay doesn't require this, but bill pay is easily trackable and reversible and not immediate.

[SergeM256]

I guess this system with 50 passwords would not help. If I understand correctly, virus intercepts connection to bank - user enters command "pay $20 cellphone bill" - virus sends to bank "pay $20,000 to John Joe" - bank to user "enter password" - user enters password thinking he authorized $20 transaction when he authorized $20,000 transaction.
Apparently, it is specific to a bank - all banks have different layout of their website and virus has to navigate website to collect information and imitate website's view it presents to a user.

[DarioCK]

I may add to my own post, but also the bank I am with also notifies you via SMS, email or automated telephone call (You can choose, not all at once) whenever you make any movement along with the 50 number key card you are given. Even if I withdraw from a ATM I get notified.

[inachu1]

Why can't we impose the death penalty on these crooks?
Sharia law would be a good thing.
If they knew their hand would be chopped off if caught then this type of fraud would go down by over 75% or until they get sneakier.

[bridge solution]

inachu1,
well, i suppose people could default to the neo-caliphate position of bin laden et al and have a world govt running sharia law.
"or until they get sneakier"...hmm. i'm not seeing any reports of arrests on this one, yet. nor of very many of the past 71 such ...

[Motyoj]

Well, if they did chop off the hands of the people that were coding these baddies, they wouldn't be able to code anymore.

[screamapillar]

Death penalty and corporal punishment exists in many nations, not just those with Sharia Law. Nevertheless, neither have demonstrated any form of reduction in crime rates. In addition, don't you think that punishment is a little disproportionate to the crime? Enron bosses get nothing, poverty line hacker gets hands cut off. Hmm... Look, what this encourages is that there is nothing wrong with the crime, only getting caught. So you get an arms race so to speak (pun intended, naturally).

This is the same stupid logic that equates legalising abortion with increased abortion rates - something that has not happened in a single nation with legalised abortion. Or supporting single teen mothers will encourage more teens to be single mothers - the attitude of most of the US law makers right there, and yet, the US has the highest teen pregnancy rate in the world while countries that support teen mothers have the lowest.

[SwitchfastTech]

So this does not affect Chrome?

[MD_Willington]

Would not surprise me one bit if the banks themselves were behind all of this.

BTW - I work with people from Ukraine, Poland etcetera, some of them have a better understanding of the English language than people who's first language is English.

[Warhaven]

Point in case: Whose, not who's. :D

[The_happy_switcher]

"...than people 'who's' first language is English." Apparently better than yours, too. lol

[balanced]

awesome to see all the Windows apologist come out and defend a broken platform once again.

[MaLvaDo39]

Massive Windows problems.... nothing new... stockholm syndrome... keep the sheep in the pen at all costs.

Get a Mac.

[The_happy_switcher]

Another fun day in Winders Adventureland. Now that no one has bought Pista Microsnot is banking on Winders 7 to fix everything. Good luck with that. Wish in one hand, ***** in the other, see which one fills up faster--Winder users.

[WinNoMo]

Windows No More

[born_yesterday]

Get a life and make some useful suggestion for a change.

[Vegaman_Dan]

@The_Happy_Switcher:

Another happy and joyful comment, as always. I'm glad to see you fill your day with sunshine and happiness, spreading cheer and good will everywhere you go.

Oh, and respect too! I almost forgot that. Your comments are always so very respectful of companies and people. I always enjoy how you thoughtfully construct your well laid out comments which add so very much great value to any and all conversations.

Once again, thank you for brightening everyone's day with your wit and whimsy!

[opit]

That's a wild exploit - that threatens online banking's very existence.
People : the article plainly states IE 6,7,8 plus Firefox and Opera ( ! ) are all at risk.
MD_Willington
Are you trying to prove your point with context ? 'I' might be understood. I have never heard of 'it' being omitted in that fashion. "Who's" is the contraction for "Who is" : not the possessive "Whose".