An adventure-map maker and anyone who can use /give can obtain the IP addresses of all logged-in players. This is done by giving them player heads where the attacker's site is substituted for minecraft.net in the skin URL, which causes the game to make a traceable HTTP request to download the skin.

The only fix I can see for this is to give players an option to download or not download skins from non-Mojang sources. Unless and until a player opted in, they'd see the custom heads as Steve or Alex heads.