Users are tricked into clicking links such as "World Cup 2010 in HD" or "Justin Bieber's phone number" that their friends appear to have "liked".
Once clicked, the site is recommended on Facebook too, and could pose danger of potential malware, even though currently there's no such content on these sites. It also works across all computer operating systems.
The link generally takes the user through to a page containing an instruction, such as asking them to click a button to confirm that they are over 18.
However, wherever they click on the page it adds a link to their own Facebook profile saying they have also "liked" the site.
'Clickjacking' for now, is harmless, and does not actively result in any malware or phishing attacks, said Graham Cluley, senior technology consultant at Sophos.
"At the moment the attacks which we've seen are more like old-school viruses - written for the heck of it to see how many fans they can get.
"But our feeling is that it would be fairly easy for the bad guys to introduce some revenue generation for themselves," BBC News quoted him as saying.
A free plug-in called NoScript, built for the Firefox web browser, includes pop-up warnings about potential clickjacks, but will also query clicks on Flash videos, commonly used on many websites - and it is not easy to install, said Mr Cluley.
"You have to be a little bit nerdy to configure it."