Last year I got like 3 phone calls in the same month from people who's website were getting redirected FROM the Google serps. You could see the site in the search results, but when you clicked the link, it took you to a Chinese knock off pharmaceutical site (which they presented as a Canadian site. It was even on a .ca).
It was the damndest thing. After about an hour with the first one, I decided to check the theme files since you never know where people get themes from.
Finally found a small piece of js code in the sidebar.php file. Just sitting there. Completely out of place. From a dirty, rotten, "die all you spammers and hackers" stand point, it was pretty simple and pretty ingenious.
I removed it and all was well again.
I don't want to disparage the host because it probably wasn't their fault. But all 3 people were on the same host. None of them had a security plug in installed, or their log in screens redirected, and they all used the default username. And with that, the hackers installed the script. Probably from the administration editor. It's just that easy. For ANY website, if you don't take basic security precautions.
Follow up. Recently the DOJ, Interpol and some other international agencies shut down about 100 of those pharm sites on the same day, and that one was on the list.