Hundreds of thousands of Facebook users are falling victim to so-called "clickjacking" attacks, warn web security labs.
Facebook members see links to subjects such as "World Cup 2010 in HD" or "Justin Bieber's phone number" that their friends appear to have "liked".
Clicking the link tricks users into recommending the site on Facebook too.
Security experts say the scam currently has no malicious intent but could be adapted to deliver malware.
The link generally takes the user through to a page containing an instruction, such as asking them to click a button to confirm that they are over 18.
However, wherever they click on the page it adds a link to their own Facebook profile saying they have also "liked" the site.
Currently the purpose of clickjacking is "trivial" and does not actively result in any malware or phishing attacks, said Graham Cluley, senior technology consultant at Sophos.
"At the moment the attacks which we've seen are more like old-school viruses - written for the heck of it to see how many fans they can get.
"But our feeling is that it would be fairly easy for the bad guys to introduce some revenue generation for themselves," he told BBC News.
Clickjacking works across all computer operating systems, added Mr Cluley.
The Facebook attack uses iFrames, which essentially places an invisible button over an entire web page, so that wherever the user clicks, they end up hitting the button - in this case a hidden Facebook "like" button.
A free plug-in called NoScript, built for the Firefox web browser, includes pop-up warnings about potential clickjacks.
However, it will also query clicks on Flash videos, commonly used on many websites - and it is not easy to install, said Mr Cluley.
"You have to be a little bit nerdy to configure it."