I believe they get the information in two ways.

1: Stolen. This can be after break-ins at diverse netshops, pishing (you are redirected to a fake website who looks just like e.g. your bank), or "social engineering" as described by John.

2: Bought from dishonest operators of stores, netshops etc.


I know there is a whole industry trading and selling credit card information. Personally, I never let the card out of sight when using it in stores/restaurants etc. And I am careful about where I use it online.