Quoted from merccat:Are the scammers scanning random number combinations across the web to try to find successful hits or what?
That is one method, but it's not *completely* random. Credit card numbers are made of a few parts: the industry ID, the issuer ID, the account number, and the checksum. From there, a scammer can find a merchant that's a little lax with what info they require to charge something, and then once they get a hit, they either sell the number as a live number or just go bananas.
Other ways to get numbers are from stolen personal information, security breaches (such as the equifax hack), credit card skimmers, malware on POS (point of sale) devices in stores, or someone simply snapping a photo or writing down the info from the card.
Security all around for the credit card ecosystem is really woefully inadequate.