The attack is designed to infect victims with malware that can steal email password credentials through its keylogging and screenshot grabbing features, among others.
This allows users to enter log-in credentials and other sensitive data without actually typing them on their physical keyboards, therefore protecting the information from malware with keylogging abilities.
While the malware was able to collect credit card data, it also performed keylogging to gather credentials that could be used to access other systems with payment and personal data.
Getting the user to give away security credentials through phishing or keylogging is much more effective, and a password's strength is totally irrelevant when it's stolen.