TLS Certificate and Domain Feature Analysis of Phishing Domains in the Danish .dk Namespace

TL;DR

This study analyzes TLS certificate and domain features to differentiate phishing domains from legitimate ones in the Danish .dk namespace, highlighting the limitations of individual indicators for detection.

Contribution

It provides an empirical analysis of certificate and domain characteristics of phishing versus legitimate domains in Denmark, revealing overlaps and detection challenges.

Findings

Several features differ between phishing and popular domains.

Phishing domains often resemble less popular domains, causing overlap.

No single feature reliably indicates phishing activity.

Abstract

Phishing attacks remain a persistent cybersecurity threat, and the widespread adoption of TLS certificates has unintentionally enabled malicious websites to appear trustworthy to users. This study examines whether certificate metadata and domain characteristics can help distinguish phishing domains from benign domains within the Danish .dk namespace. A dataset was constructed by combining registry information from Punktum dk with phishing reports and popularity rankings from external sources. TLS certificate attributes were collected using Netlas, while additional domain-based features were derived from DNS records and lexical analysis of domain names. The analysis compares phishing, popular, and less frequently visited domains across several feature categories, including Certificate Authorities (CAs), validity periods, missing certificate fields, SAN structure, registrant geography, hosting providers, and lexical properties of domain names. The results indicate that several features show observable differences between phishing and highly popular domains. However, phishing domains often resemble less popular domains, resulting in substantial overlap across many characteristics. Consequently, no individual feature provides a reliable standalone indicator of phishing activity within the Danish namespace. The findings suggest that certificate and domain attributes may still contribute to detection when combined, while also highlighting the limitations of relying on individual indicators in isolation. This work provides an empirical overview of phishing-related infrastructure patterns in the Danish .dk ecosystem and offers insights that may inform future phishing detection approaches.