It does appear to be a brute force or phishing attack. These sort of drive-bys can typically be permanently stopped with 2FA or a password-less MFA solution like LaunchKey (Disclaimer: co-founder). LaunchKey has a free WordPress Plugin available, among others: http://wordpress.org/plugins/launchkey/
It is 2014, you better prepare a good PR response for when you get breached OR start implementing stronger authentication ASAP.
It is 2014, you better prepare a good PR response for when you get breached OR start implementing stronger authentication ASAP.