What Is Box.com?
Box (box.com and formerly box.net) is a file-sharing website. A large percentage of Box users are businesses due to the company’s pricing structure. Subsequently, if you’re the average internet user, you may not hear about it before you learn other names such as Mega and Dropbox. Box gets new users by offering products and solutions for businesses.
Box was cofounded by Aaron Levie, Dylan Smith, Jeff Queisser, and Sam Ghods. Box struggled to grow as a company until Mark Cuban invested $350,000 in 2005. The Wayback Machine shows the domain box.net was originally used in January of 1998, suggesting it may have been acquired by Aaron Levie, the cofounder believed to have started the project, at a later date. According to Wikipedia, Box wasn’t founded by Aaron Levie until 2005, suggesting he bought the domain box.net with some of the funding of Mark Cuban. As of February 2023, the site box.com gets an estimated 44.7 million monthly views.
Website: https://www.box.com/
Is Box.com Safe?
I conducted a series of malware tests to find out if box.com is safe and legit. Here are the results:
I installed the Malwarebytes Browser Guard on my Edge browser and was able to browse the site box.com without any issues.
To check this further I ran malware scans with Malwarebytes and Spybot on my computer after browsing the site box.com and they returned no malware detection. I also ran a system-wide scan with Microsoft Defender and no malware was found.
To confirm that the site is clean, I also checked the site box.com on the online malware scanner Sucuri and it returned with no issues. You can see the same here: https://sitecheck.sucuri.net/results/box.com
Sucuri says the site box.com doesn’t have malware and is a low security risk. Sucuri also says the site box.com is not blacklisted by any of the 9 associated blacklist checks.
Some hardening improvements can be made such as solving the following missing security headers:
Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors ‘none’. Affected pages:
https://box.com:443/404javascript.js
https://box.com:443/404testpage4525d2fdc
https://www.box.com/CHANGELOG.txt
https://www.box.com/core/misc/ajax.js
https://www.box.com/misc/drupal.jsMissing security header to prevent Content Type sniffing. Affected pages:
https://box.com:443/404javascript.js
https://box.com:443/404testpage4525d2fdc
https://www.box.com/CHANGELOG.txt
https://www.box.com/core/misc/ajax.js
https://www.box.com/misc/drupal.jsMissing Content-Security-Policy directive. We recommend to add the following CSP directives (you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src
However. these missing security headers are minor issues and don’t change the overall grade of the scan.
I also ran a parasite scan with Unmask Parasites on the site box.com and it found 2 suspicious inline scripts and 1 hidden external link. You can see the same here: https://unmask.sucuri.net/security-report/?page=box.com
I have listed them below:
Hidden link:
https://segment-box.com/?key=9mEaWAAXfspF6epYVozDiTF43jJErnJl
Long suspicious script:
(window.NREUM||(NREUM={})).init={ajax:{deny_list:["bam.nr-data.net"]}};(window.NREUM||(NREUM={})).loader_config={xpid:"VQ...
Long suspicious script:
(function(){var js = "window['__CF$cv$params']={r:'7a50b7919acace40',m:'0rndNVPP2I3vkbHGoCw86k.SIT4MnjadE4gjR5sDVvc-16783...
Lastly, I ran a malware scan with VirusTotal on the domain box.com and no security vendor has flagged the domain as malicious. You can see the same here: https://www.virustotal.com/gui/domain/box.com
In conclusion, the site box.com doesn’t have malware and is a low security risk according to Sucuri. Unmask Parasites did find a suspicious link and 2 suspicious long scripts. No security vendors associated with VirusTotal or Sucuri have flagged the domain as malicious.