But you could trick users to do something like this. That would take them to a "fake Minecraft forum" for example, telling you to login.
You could do that with links too... No need for image
True true... but images may work more well.
That problem is trivial. Exploiters do this for banks, too, but the users have to be smart enough to realize that minecraftforum.net.ru is not the same as minecraftforum.net, and not to mention they would get suspicious having to log in all over again all of a sudden...
The issue with images is that since they're hotlinked, they're susceptible to XSS (in poorly designed browsers, aka IE), and HTTP features such as the login prompt. One could also post an image which points to a script that logs IP addresses of all the users who browse the forums...
EDIT: This can be subverted by tunneling all images through a web proxy that removes special HTTP headers. The downside is this adds additional overhead to your website and uses more bandwidth. cache daemons, such as squid, try to minimize this overhead.
Let's remove images and links and remove the entire site, that'll show him!
Honestly? The best fix for this "problem" is simply for the user to take the most basic of precautions, like hovering the mouse over the link before clicking to check the URL, and having adequate security software installed. Disabling any sort of BBCode is just a massive inconvenience to everyone EXCEPT the spammers, who most likely are using programs to do this.