Phishing attacks remain a persistent cybersecurity threat, and the widespread adoption of TLS certificates has unintentionally enabled malicious websites to appear trustworthy to users. This study examines whether certificate metadata and domain characteristics can help distinguish phishing domains from benign domains within the Danish .dk namespace. A dataset was constructed by combining registry information from Punktum dk with phishing reports and popularity rankings from external sources. TLS certificate attributes were collected using Netlas, while additional domain-based features were derived from DNS records and lexical analysis of domain names. The analysis compares phishing, popular, and less frequently visited domains across several feature categories, including Certificate Authorities (CAs), validity periods, missing certificate fields, SAN structure, registrant geography, hosting providers, and lexical properties of domain names. The results indicate that several features show observable differences between phishing and highly popular domains. However, phishing domains often resemble less popular domains, resulting in substantial overlap across many characteristics. Consequently, no individual feature provides a reliable standalone indicator of phishing activity within the Danish namespace. The findings suggest that certificate and domain attributes may still contribute to detection when combined, while also highlighting the limitations of relying on individual indicators in isolation. This work provides an empirical overview of phishing-related infrastructure patterns in the Danish .dk ecosystem and offers insights that may inform future phishing detection approaches.

翻译：网络钓鱼攻击仍是持续存在的网络安全威胁，而TLS证书的广泛普及在无意中使恶意网站对用户显得可信。本研究考察证书元数据和域名特征能否帮助区分丹麦.dk命名空间中的钓鱼域名与良性域名。通过整合Punktum dk的注册信息与外部来源的钓鱼报告及流行度排名，构建了数据集。利用Netlas收集TLS证书属性，同时从DNS记录和域名词汇分析中提取额外的基于域名的特征。分析比较了钓鱼域名、流行域名和低频访问域名在多个特征类别上的差异，包括证书颁发机构、有效期、缺失证书字段、主题备用名称结构、注册者地理位置、托管提供商以及域名词汇特性。结果表明，若干特征在钓鱼域名与高流行域名之间呈现可观察的差异。然而，钓鱼域名常与低流行域名相似，导致许多特征存在大量重叠。因此，在丹麦命名空间中，单一特征无法提供可靠的独立钓鱼活动指标。研究发现表明，证书和域名属性在组合使用时仍可能有助于检测，同时也揭示了依赖单一独立指标的局限性。本研究提供了丹麦.dk生态系统中钓鱼相关基础设施模式的实证概述，并为未来钓鱼检测方法的发展提供了参考。