Phishing attacks remain a persistent cybersecurity threat, and the widespread adoption of TLS certificates has unintentionally enabled malicious websites to appear trustworthy to users. This study examines whether certificate metadata and domain characteristics can help distinguish phishing domains from benign domains within the Danish .dk namespace. A dataset was constructed by combining registry information from Punktum dk with phishing reports and popularity rankings from external sources. TLS certificate attributes were collected using Netlas, while additional domain-based features were derived from DNS records and lexical analysis of domain names. The analysis compares phishing, popular, and less frequently visited domains across several feature categories, including Certificate Authorities (CAs), validity periods, missing certificate fields, SAN structure, registrant geography, hosting providers, and lexical properties of domain names. The results indicate that several features show observable differences between phishing and highly popular domains. However, phishing domains often resemble less popular domains, resulting in substantial overlap across many characteristics. Consequently, no individual feature provides a reliable standalone indicator of phishing activity within the Danish namespace. The findings suggest that certificate and domain attributes may still contribute to detection when combined, while also highlighting the limitations of relying on individual indicators in isolation. This work provides an empirical overview of phishing-related infrastructure patterns in the Danish .dk ecosystem and offers insights that may inform future phishing detection approaches.

翻译：钓鱼攻击持续构成网络安全威胁，而TLS证书的广泛普及无意中使恶意网站能够向用户呈现可信外观。本研究旨在探讨证书元数据与域名特征是否有助于区分丹麦.dk命名空间中的钓鱼域名与良性域名。通过整合Punktum dk的注册信息以及外部来源的钓鱼报告与流行度排名构建数据集。利用Netlas收集TLS证书属性，同时从DNS记录与域名词汇分析中提取基于域名的附加特征。研究从多个特征维度对钓鱼域名、高流行度域名及低访问频率域名进行比较，包括证书颁发机构、有效期、缺失证书字段、SAN结构、注册者地理位置、托管服务商及域名词汇特性。结果表明，钓鱼域名与高流行度域名在部分特征上存在可观测差异，但钓鱼域名往往与低流行度域名相似，导致多数特征存在显著重叠。因此，在丹麦命名空间中，单一特征无法作为可靠的钓鱼活动独立判别指标。研究提示，证书与域名属性在组合使用时可能仍有助于检测，同时揭示了依赖单一指标的局限性。本项工作为丹麦.dk生态系统中与钓鱼相关的基础设施模式提供了实证概览，并可为未来钓鱼检测方法的设计提供参考。