Gogax's business model appears to be to delegate small chunks of its IP address range to third parties, while presumably hosting the servers for them. In this case of this this $600,000 fraud the IP addresses were delegated by Gogax to a company called Krutikservers in Azerbaijan.
There are also several fake and/or illegal pharmaceutical sites in the address range, which makes it odd that a legitimate organisation like the Swedish Covenant Hospital should choose to host in the same IP range as criminals.
Google's safe browsing diagnostic is pretty damning:
Safe Browsing
Diagnostic page for AS21793 (GOGAX)
What happened when Google visited sites hosted on this network?
Of the 595 site(s) we tested on this network over the past 90 days, 35 site(s), including, for example, ajvar.com/, freezlylo.com/, no-ip.be/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2010-09-05, and the last time suspicious content was found was on 2010-09-05.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 225 site(s) on this network, including, for example, nakedfridaydresscode.com/, lykqug.cn/, hejaza.cn/, that appeared to function as intermediaries for the infection of 3632 other site(s) including, for example, rubensf.com/, rebeccaflinn.com/, jesus-messiah.com/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 207 site(s), including, for example, nakedfridaydresscode.com/, lykqug.cn/, hejaza.cn/, that infected 3270 other site(s), including, for example, rubensf.com/, jesus-messiah.com/, ottomiller.com/.
The full list of domains, MyWOT ratings, delegations and a prognosis as to whether it's the sort of site you might want to visit can be found here, below is a summary of some of the more suspect delegates (note that some of the delegate names could be forgeries):
Abdto He
China
Counterfeit Goods
Allen Jason
United States
HYIP schemes
Cecile Dagorne (Possible forged name)
France
Malware distribution
Emil Vdovin
Russia
Fake / illegal pharmaceuticals & counterfeit goods
Global
Argentina
Fake / illegal pharmaceutical
Gogax
Canada / US
Rogue anti-virus, malware distribution, fake / illegal pharamceuticals
James Schumaker (Possible forged name)
US
Fake / illegal pharamceuticals
Krutikservers
Azerbaijan
Fake jobs / money laundering
Loyalty Servers
Russia
Fake / illegal pharamceuticals, malware distribution, hardcore pornography, illegal software downloads
Michael Chekin
Russia
Fake / illegal pharamceuticals
Paule Uvinekov
Ukraine
Child pornography (reference)
Saman Mazaheri
Iran
HYIP schemes
Telekurs Holding (possible forged name)
Switzerland
Malware distribution
Valeria Duarte
Argentina
Fake / illegal pharamceuticals
Vlad Rybak
Ukraine
Fake / illegal pharamceuticals
Weiliang Zhang
China
Counterfeit goods
WellHost
Ukraine
Fake / illegal pharamceuticals, malware distribution
The bad stuff on this network easily outnumbers the legitimate stuff, blocking the entire 76.76.96.0/19 (76.76.96.0 - 76.76.127.255) will probably not cause significant problems. And if you are a legitimate site operator hosting with Gogax.. they it might well be time to change hosts before the whole lot gets blackholed.
Update: 23/5/11
Gogax claims that the block is now clean. However, the MyWOT rankings for this block still show some sites with very poor reputations (you can see a list of domains and ratings here).
