As per our research following are the main reason to come Google Attack Page
First, it knows the files and their default locations of various FTP software, FileZilla, WS_FTP and many, many others. When users tell their software to save their logon credentials, it saves this information in a file on the computer. Then when you want to send an update to your website, the login information is already there.
The virus looks for these files, opens them, reads the information and then sends it to a server where it's used to login to the website with valid credentials. There's no need to "crack" the password. Which is why strong passwords aren't a defense in this case.
Second, the virus installs a keyboard logger. This variant is relatively new because earlier this year the hackers saw that everyone was telling people not to save their FTP username and passwords, so the hackers started installing keyboard loggers for those who type their passwords in each time. Same follow-through, the stolen information is sent to a server that infects the web site.
Third, the virus "sniffs" the FTP traffic leaving the PC. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see the username and password, capture it, send it to a server and ... (you get the idea).
Fourth, and is the most recent, the virus will inject the malscript (the infectious iframe) into the FTP data stream as it leaves the user's PC. This latest variant is sneaky in that the website logs will show that FTP traffic originated from a valid source, with valid FTP credentials.