In the majority of cases the iframe is injected after the attacker gets the username and password and they just log in with regular ftp. 

What can be done to avoid it?
  • Exercise caution when there is a request to update or divulge contact details.
  • Instead of clicking on the provided links, manually type in the website address of the organisation.
  • Install a firewall and anti-spam software
  • Ensure your browser is up to date
For some specific examples:

http://forums.digitalpoint.com/showthread.php?t=901622
http://docs.joomla.org/Category:Security_Checklist 
http://codex.wordpress.org/FAQ_My_site_was_hacked